diff --git a/iterative/resource_runner.go b/iterative/resource_runner.go
index 08f9156c..07550110 100644
--- a/iterative/resource_runner.go
+++ b/iterative/resource_runner.go
@@ -330,19 +330,23 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 export AWS_SECRET_ACCESS_KEY={{escape .AWS_SECRET_ACCESS_KEY}}
 export AWS_ACCESS_KEY_ID={{escape .AWS_ACCESS_KEY_ID}}
 export AWS_SESSION_TOKEN={{escape .AWS_SESSION_TOKEN}}
+export _CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
 {{- end}}
 {{- if eq .cloud "azure"}}
 export AZURE_CLIENT_ID={{escape .AZURE_CLIENT_ID}}
 export AZURE_CLIENT_SECRET={{escape .AZURE_CLIENT_SECRET}}
 export AZURE_SUBSCRIPTION_ID={{escape .AZURE_SUBSCRIPTION_ID}}
 export AZURE_TENANT_ID={{escape .AZURE_TENANT_ID}}
+export _CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
 {{- end}}
 {{- if eq .cloud "gcp"}}
 export GOOGLE_APPLICATION_CREDENTIALS_DATA={{escape .GOOGLE_APPLICATION_CREDENTIALS_DATA}}
 export CML_GCP_ACCESS_TOKEN={{escape .CML_GCP_ACCESS_TOKEN}}
+export _CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
 {{- end}}
 {{- if eq .cloud "kubernetes"}}
 export KUBERNETES_CONFIGURATION={{escape .KUBERNETES_CONFIGURATION}}
+export _CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
 {{- end}}
 {{- end}}
 
diff --git a/iterative/testdata/script_template_cloud_aws.golden b/iterative/testdata/script_template_cloud_aws.golden
index 7cf75df2..25619929 100644
--- a/iterative/testdata/script_template_cloud_aws.golden
+++ b/iterative/testdata/script_template_cloud_aws.golden
@@ -54,6 +54,7 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 export AWS_SECRET_ACCESS_KEY='0 value with "quotes" and spaces'
 export AWS_ACCESS_KEY_ID='1 value with "quotes" and spaces'
 export AWS_SESSION_TOKEN='2 value with "quotes" and spaces'
+export _CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_azure.golden b/iterative/testdata/script_template_cloud_azure.golden
index 5bdf161e..af2b1361 100644
--- a/iterative/testdata/script_template_cloud_azure.golden
+++ b/iterative/testdata/script_template_cloud_azure.golden
@@ -55,6 +55,7 @@ export AZURE_CLIENT_ID='3 value with "quotes" and spaces'
 export AZURE_CLIENT_SECRET='4 value with "quotes" and spaces'
 export AZURE_SUBSCRIPTION_ID='5 value with "quotes" and spaces'
 export AZURE_TENANT_ID='6 value with "quotes" and spaces'
+export _CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_gcp.golden b/iterative/testdata/script_template_cloud_gcp.golden
index 617de679..8303a5df 100644
--- a/iterative/testdata/script_template_cloud_gcp.golden
+++ b/iterative/testdata/script_template_cloud_gcp.golden
@@ -53,6 +53,7 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 #!/bin/sh
 export GOOGLE_APPLICATION_CREDENTIALS_DATA=''
 export CML_GCP_ACCESS_TOKEN=''
+export _CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_kubernetes.golden b/iterative/testdata/script_template_cloud_kubernetes.golden
index 1d357dc3..1ee3c2f5 100644
--- a/iterative/testdata/script_template_cloud_kubernetes.golden
+++ b/iterative/testdata/script_template_cloud_kubernetes.golden
@@ -4,6 +4,7 @@ sudo systemctl is-enabled cml.service && return 0
 sudo curl --location https://github.com/iterative/terraform-provider-iterative/releases/latest/download/leo_linux_amd64 --output /usr/bin/leo
 sudo chmod a+x /usr/bin/leo
 export KUBERNETES_CONFIGURATION='8 value with "quotes" and spaces'
+export _CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done