In order to provide a simple, repeatable way for a select few users to update/set secrets in our cloud environments for our services to consume we recently implemented a dynamic step driven pipeline in Buildkite using block steps for user input. This provided us with a way to restrict who could make this change and track when these changes were propagated.
So far, it’s working perfectly but I did notice that the Block Step’s Text input doesn’t have an option to provide a password-masked text field for the prompt. Now I know that this doesn’t really provide any additional security as there is nothing stopping poorly written scripts outputting the value to the console, its more to protect us from any shared secrets being exposed either by over-the-shoulder on lookers or during demonstrations.
Happy to contribute a change if that’s preferable, just need to be pointed into the right direction to do so (ie: github repos, etc.).