Masking Parameters

Masking parameters help protect sensitive data by preventing it from being exposed in workflow executions.

You can mask data in a workflow definition using the following parameters:

• _secrets
• _masked
• maskedFields

Masking sensitive data

When a value is masked, it is replaced with ***, ensuring that confidential information is hidden in workflow executions.

Using _secrets parameter

For example:

{
  "_secrets": {
    "my-secret-key": "my-secret-value"
  }
}

This is displayed in the workflow execution as:

{
  "_secrets": "***"
}

Using _masked parameter

For example:

{
  "_masked": { "some": "data" }
}

This is displayed in the workflow execution as:

{
  "_masked": "***"
}

Using maskedFields parameter

Available since

• v5.1.18 and later
• v4.1.68 and later

The maskedFields parameter specifies which fields should be masked during execution. Each element in the array contains the name of a field to be masked.

For example:

// workflow definition
 "maskedFields": [
   "input1",
   "input2"
 ]

In the workflow execution, the fields are displayed as:

{
  "input1": "***",
  "input2": "***"
}

Passing sensitive data between tasks

To pass sensitive data from one task's output to a subsequent task, nest the sensitive fields inside either the _secrets or _masked object in the receiving task’s input parameters as follows:

Using _secrets parameter

{
  "_secrets": {
    "parameter": "${previousTaskRef.output.someOutputParameter}"
  }
}

Using _masked parameter

{
  "masked": {
    "parameter": "${previousTaskRef.output.someOutputParameter}"
  }
}

See the complete example in Passing sensitive data between tasks.

Workflow behavior with masked parameters

Behavior on restarting workflows with masked values: When a workflow with masked values reaches a terminal state and is removed from the primary execution:

• Values with the _masked parameter are retained during archiving. If the workflow is restarted, the original data will remain accessible.
• Values with the _secrets parameter are permanently replaced with *** during archiving. As a result, restarting the workflow might cause failures if any tasks rely on the masked data.

Examples

Using _secrets parameter

Consider a workflow with a task having an input masked using _secrets:

     "inputParameters": {
       "_secrets": "${workflow.input.somedata}"
     }

Here’s the complete workflow definition:

{
 "name": "workflow-with-secrets-param",
 "description": "Sample workflow containing _secrets params",
 "version": 1,
 "tasks": [
   {
     "name": "simple",
     "taskReferenceName": "simple_ref",
     "inputParameters": {
       "_secrets": "${workflow.input.somedata}"
     },
     "type": "SIMPLE"
   }
 ],
 "inputParameters": [
   "somedata"
 ],
 "schemaVersion": 2,
 "ownerEmail": "john.doe@acme.com"
}

When this workflow runs, the parameters are masked in the execution results within the task input, since we have defined to mask the task input using the _secrets parameter.

In the above execution, the workflow input is not masked.

To mask that as well, use the maskedFields parameter in the workflow definition. Here’s the updated workflow definition:

{
  "name": "workflow-with-secrets-param",
  "description": "Workflow masks workflow input using maskedFields and task input using _secrets",
  "version": 2,
  "tasks": [
    {
      "name": "simple",
      "taskReferenceName": "simple_ref",
      "inputParameters": {
        "_secrets": "${workflow.input.somedata}"
      },
      "type": "SIMPLE"
    }
  ],
  "inputParameters": [
    "somedata"
  ],
  "schemaVersion": 2,
  "ownerEmail": "john.doe@acme.com",
  "maskedFields": [
    "somedata"
  ]
}

When the workflow is executed again:

• The workflow input (somedata) will be masked because it is listed in maskedFields.
• The task input will also be masked because it is passed under _secrets.

This ensures that the sensitive data is masked at both the workflow and task inputs.

Using _masked parameter

Consider a workflow with a task having an input parameter masked using _masked:

     "inputParameters": {
       "_masked": "${workflow.input.somedata}"
     }

Here’s the complete workflow definition:

{
 "name": "workflow-with-masked-param",
 "description": "Sample workflow containing _masked params",
 "version": 1,
 "tasks": [
   {
     "name": "simple",
     "taskReferenceName": "simple_ref",
     "inputParameters": {
       "_masked": "${workflow.input.somedata}"
     },
     "type": "SIMPLE"
   }
 ],
 "inputParameters": [
   "somedata"
 ],
 "schemaVersion": 2,
 "ownerEmail": "john.doe@acme.com"
}

When this workflow runs, the parameters will be masked in the execution results within the task input, since we have defined to mask the task input using the _masked parameter.

In the above execution, the workflow input is not masked.

To mask that as well, use the maskedFields parameter in the workflow definition. Here’s the updated workflow definition:

{
 "name": "workflow-with-masked-param",
 "description": "Sample workflow containing _masked params",
 "version": 2,
 "tasks": [
   {
     "name": "simple",
     "taskReferenceName": "simple_ref",
     "inputParameters": {
       "_masked": "${workflow.input.somedata}"
     },
     "type": "SIMPLE"
   }
 ],
 "inputParameters": [
   "somedata"
 ],
 "schemaVersion": 2,
"ownerEmail": "john.doe@acme.com",
 "maskedFields": [
   "somedata"
 ]
}

When the workflow is executed again:

• The workflow input (somedata) will be masked because it is listed in maskedFields.
• The task input will also be masked because it is passed under masked.

This ensures that the sensitive data is masked at both the workflow and task inputs.

Using maskedFields parameter

Consider a workflow definition with input parameters input1 and input2, and output parameter output1.

{
 "name": "newMaskingParam",
 "description": "Workflow for testing new masking params",
 "version": 1,
 "tasks": [
   {
     "name": "http",
     "taskReferenceName": "http_ref",
     "inputParameters": {
       "uri": "https://orkes-api-tester.orkesconductor.com/api",
       "method": "GET",
       "accept": "application/json",
       "contentType": "application/json",
       "encode": true
     },
     "type": "HTTP"
   }
 ],
 "inputParameters": [
   "input1",
   "input2"
 ],
 "outputParameters": {
   "output1": "${http_ref.output}"
 },
 "schemaVersion": 2,
 "ownerEmail": "john.doe@acme.com",
 "maskedFields": [
   "input1",
   "input2"
 ]
}

In this example, both input fields are masked using:

"maskedFields": [
   "input1",
   "input2"
 ]

After running the execution, the values for input1 and input2 appear as *** in the workflow input, confirming that the masking is applied successfully.

Next, update the workflow definition to mask the input1 and output1 parameters:

//workflow definition
"maskedFields": [
   "input1",
   "output1"
 ]

When you run the execution, input1 and output1 are masked.

Passing sensitive data between tasks

Consider a workflow where a sensitive value from one task’s output needs to be passed to another task. To ensure the data remains masked, nest the parameter under _secrets in the receiving task’s input parameters.

{
  "name": "workflow-pass-sensitive-data",
  "description": "Workflow passing sensitive parameters between tasks",
  "version": 1,
  "tasks": [
    {
      "name": "simple-demo",
      "taskReferenceName": "simple_demo_ref",
      "type": "SIMPLE"
    },
    {
      "name": "simple",
      "taskReferenceName": "simple_ref",
      "inputParameters": {
        "_secrets": {
          "parameter": "${simple_demo_ref.output.result}"
        }
      },
      "type": "SIMPLE"
    }
  ],
  "schemaVersion": 2,
  "ownerEmail": "john.doe@acme.com"
}

note

You can also use the _masked parameter to mask the data in this scenario.

When this workflow runs, the sensitive data from simple_demo_ref.output.result, which is passed as the input parameter to the second task, is masked in the execution results because it is nested under _secrets.