Overview
If sensitive data (such as an API token or secret) is accidentally exposed in a job's step output, CircleCI Server provides two methods to remove that output from your installation. This article covers both approaches and their respective outcomes.
Note: Rotate any exposed credentials immediately — before taking the steps below. Removing build logs does not invalidate credentials that have already been leaked.
Method 1: Delete the Entire Build via the Admin REPL (Recommended)
The simplest and most complete approach is to use the following admin REPL command:
(circle.http.api.admin-commands/delete-build "<build-url>")
Replace <build-url> with the full URL of the build you want to remove — for example:
Expected Outcome
This command removes the build entirely from CircleCI, including its step output and its entry in the UI.
Method 2: Delete Job Logs via S3
If you need to preserve the build record for audit purposes but want to remove only the step output, you can delete the logs directly from S3. All job output logs are stored in your installation's S3 bucket at the following path:
<bucket>/v1/task/<job_id>
Finding the Job ID
If you don't already know the job_id, you can locate it in the job's Preparing environment variables step output. Look for the environment variable:
CIRCLECI_WORKFLOW_JOB_ID
The value of this variable is the job_id you need.
Deleting the Logs
Once you have the job_id, delete the corresponding object(s) from your S3 bucket at the path above using your preferred S3 administration tool (e.g. the AWS CLI, AWS Console, or equivalent for your storage provider).
Expected Outcome
After the S3 objects are deleted, the affected job's step output will be replaced with:
Error: Task information unavailable
The job itself remains visible in the CircleCI UI — only its step output is removed.
Comments
Please sign in to leave a comment.