k6/secrets
Documentationbreadcrumb arrow Grafana k6breadcrumb arrow JavaScript APIbreadcrumb arrow k6/secrets
Open source RSS

k6/secrets

The k6/secrets module gives access to secrets provided by configured secret sources.

PropertyDescription
get([String])asynchrounsly get a secret from the default secret source
source([String])returns a source for the provided name that can than be used to get a secret from a concrete source

get

get returns the value of the secret for the provided name from the default secret source. If there is no default secret source, there is no secret with that name or some other error is returned an exception will thrown.

source

source returns a secret source for the name provided. The name is defined when running k6.

The returned object has one method get with the same functionality as the global get

Example

A simple example where we get a secret by its name from the default source (if defined).

JavaScript 
import secrets from 'k6/secrets';

export default async () => {
  const my_secret = await secrets.get('my_secret'); // get from 1 secret source if only 1, exception if more than 1 secret source or if no secret sources
  console.log(my_secret);
};

We can also get a secret source by its name then get a secret specifically from it.

JavaScript 
import secrets from 'k6/secrets';

export default async () => {
  const my_secret = await secrets.source('identifier').get('my_secret'); // get secret from a source with the provided identifier
  console.log(my_secret);
};

In both of those cases the end logs will have ***SECRET_REDACTED*** in place of any secret that has been outputed.

A full example with multiple secret sources and names

JavaScript 
import secrets from 'k6/secrets';

export default async () => {
  const my_secret = await secrets.get('cool'); // get secret from a source with the provided identifier
  console.log(my_secret == 'cool secret');
  const anothersource = await secrets.source('another');
  console.log((await anothersource.get('cool')) == 'cool secret');
  console.log((await anothersource.get('cool')) == 'not cool secret');
};

And if we ran we will see that when we get from the default secret source we get one secret and we get a different one from the not default one. This also shows that the internal parts of the scripts can use the actual value of the script even if it is redacted in the logs.

bash 
$ k6 run --secret-source=mock=default,cool="cool secret" --secret-source=mock=name=another,cool="not cool secret" multi-source.test.js
...
INFO[0000] true                                          source=console
INFO[0000] false                                         source=console
INFO[0000] true                                          source=console