Logs have useful content replaced with asterisks (e.g. `*******`)

jschaf · November 5, 2019, 3:17am

My logs have instances of heap replaced with **** and random-enough strings like our ECR repo replaced with **** . For example:

Error: ENOENT: no such file or directory, open '/home/circleci/****/front/public/js/****.js
image:           ********************************************/****-services-circleci:debian-ci-node-v1028
test/self_serve/****_plan_manager.coffee

How do I disable this?

glenjamin.circleci · November 5, 2019, 9:29am

This is caused by the rollout of Secrets Masking.

We only mask out things which are stored as project environment variables or within a context. Are you storing things there which you don’t consider secrets? We are considering some ways to allow self-service opt-out, so we’d like to understand more about the scenarios that are leading to this problem.

You can contact support to have this disabled on one of your projects, or if you’d like to provide us more information about your use of variables in a more private channnel.

jschaf · November 5, 2019, 11:16pm

Thanks. It’s definitely the secret masking.

Are you storing things there which you don’t consider secrets?

Yes. The use case is to add global environment variables that are referenced in multiple places (executors, jobs, bash scripts). A specific example is our AWS ECR URL. It’s not a secret and it would be painful to add it everywhere we need it.

Here’s how we use the ECR URL.

executors:
  our_docker_executor:
    docker:
      - image: $AWS_ECR_URL/some_image:latest

jobs:
  cypress_tests:
    steps:
      - run:
          name: Pulling Cypress container in the background
          background: true
          command: docker pull $AWS_ECR_URL/cypress:latest

fernandobrito · November 6, 2019, 3:21pm

Interesting feature, but I was also surprised today when I saw my output masked. It would be nice to have a banner or have this feature communicated to the users on that screen. And just like the user above, I use env vars to store configuration values that are actually very useful to have them visible on the logs.

agard · November 7, 2019, 10:18am

Same for us. We use global environment variable for the name of one of our projects. We definitely do not consider this as sensitive information.
This new feature results in broken links to external links (e.g. firebase)

system · November 17, 2019, 10:18am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can we disable secret masking in logs by ourselves? Build Environment circle-yml	1	852	August 11, 2022
How to protect environment variable from being echo or printed Build Environment circle-yml , cci-20	1	1888	June 18, 2018
Use context var for custom docker image repo Build Environment	0	554	November 29, 2021
Modify CIRCLE_TAG before use Build Environment	5	2207	December 12, 2020
Modify docker ENV Build Environment	7	489	June 28, 2019

Logs have useful content replaced with asterisks (e.g. `*******`)

Related Topics