Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS secrets may be exposed when running repository/config/aws tests in the CI workflows #8168

Open
mpryc opened this issue Aug 30, 2024 · 1 comment · May be fixed by #8169
Open

AWS secrets may be exposed when running repository/config/aws tests in the CI workflows #8168

mpryc opened this issue Aug 30, 2024 · 1 comment · May be fixed by #8169
Assignees
Labels

Comments

@mpryc
Copy link

mpryc commented Aug 30, 2024

What steps did you take and what happened:
Ran the github.com/vmware-tanzu/velero/pkg/repository/config tests with either:

  • ~/.aws/credentials file
  • export AWS_ACCESS_KEY_ID=exposed_creds

The error message contained exposed credentials and additional AWS data that should not be in the error message.

What did you expect to happen:
The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY from the running environment should never be exposed in the test logs nor errors.

mpryc added a commit to mpryc/velero that referenced this issue Aug 30, 2024
…ng tests

Changed the tests to use mocked function that will not read actual
secrets from env variables nor AWS config file that may be
on the system that is running tests.

As a second guard against exposed secrets comparison for the values
does not shows the actual values for the AWS data. This is to prevent
situation where programming error may still allow the test to read
AWS config/env variables instead of using mocked function.

Signed-off-by: Michal Pryc <[email protected]>
@reasonerjt reasonerjt self-assigned this Sep 2, 2024
mpryc added a commit to mpryc/velero that referenced this issue Sep 4, 2024
…ng tests

Changed the tests to use mocked function that will not read actual
secrets from env variables nor AWS config file that may be
on the system that is running tests.

As a second guard against exposed secrets comparison for the values
does not shows the actual values for the AWS data. This is to prevent
situation where programming error may still allow the test to read
AWS config/env variables instead of using mocked function.

Signed-off-by: Michal Pryc <[email protected]>
Copy link

github-actions bot commented Nov 2, 2024

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands.

@github-actions github-actions bot added the staled label Nov 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
2 participants