Secure env variables

I’ve got a few environment variables that I’m setting on the pipeline:

  AWS_ACCESS_KEY_ID: "xyzxyzxyzxyzxyzxyzxyzxyz"
  AWS_SECRET_ACCESS_KEY: "xyzxyzxyzxyzxyzxyzxyzxyzxyzxyz"

  - command: 
      - "echo Hello World"

Does buildkite have any way to secure those environment variables, or integration to something like AWS Secrets Manager?

I would write a repository-level environment or pre-command hook, fetch the secrets from AWS Secrets Manager or SSM Parameter Store, and export them as env vars.