Skip to content

Credentials are being written to log output #2572

@nis-thac

Description

@nis-thac

When running digger with aws_role_to_assume, the temporary credentials, valid for 1 hour, are written in clear text to the log output, in lines all looking like the following:

time=2026-02-13T09:07:00.163Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[<tofu-command> -backend-config=access_key=<access-key> -backend-config=secret_key=<secret-key> -backend-config=token=<session-token> -input=false -no-color]" command.workingDir=/home/runner/work/<repo>/<repo>

Pleas mask the secret_key and the token, leaving the access_key open may help with debugging.

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions