Secret source

Secret sources provide a secure way for k6 to retrieve and use secrets. Unlike values from environment variables or files, values from secret sources are automatically redacted from k6 logs before propagation through the system.

Access secrets through the k6/secrets JavaScript API. All secrets are redacted from logs.

Configure secret sources

Configure secret sources using the --secret-source CLI flag. You can configure multiple secret sources simultaneously.

Built-in secret sources

The following built-in secret sources are available for local testing:

file: Reads secrets from a key=value file.
mock: Reads secrets from CLI arguments.
url: Fetches secrets from HTTP endpoints.

Secret source extensions

You can implement a secret source as an extension for k6.

Example script

import http from 'k6/http';
import secrets from 'k6/secrets';

export default async () => {
  const my_secret = await secrets.get('cool'); // Retrieves secret by identifier
  console.log(my_secret);
  const response = await http.asyncRequest('GET', 'https://httpbin.org/get', null, {
    headers: {
      'Custom-Authentication': `Bearer ${await secrets.get('else')}`,
    },
  });
  console.log(response.body);
};

Run the script with the following secrets file:

cool=some
else=source

The following output shows how secrets are redacted in logs, shown as ***SECRET_REDACTED***, while remaining accessible to the script.

$ k6 run --secret-source=file=file.secret secrets.test.js
...
INFO[0000] ***SECRET_REDACTED***                         source=console
INFO[0001] {
  "args": {},
  "headers": {
    "Custom-Authentication": "Bearer ***SECRET_REDACTED***",
    "Host": "httpbin.org",
    "User-Agent": "k6/0.57.0 (https://k6.io/)",
    "X-Amzn-Trace-Id": "Root=1-67dd638b-4243896a2fa1b1b45bc63eaa"
  },
  "origin": "<my actual IP>",
  "url": "https://httpbin.org/get"
}  ***SECRET_REDACTED***=console