Skip to content

Commit bd048fb

Browse files
ppitonakadrianriobo
ppitonak
authored and
adrianriobo
committed
Mask AWS and Azure credentials in debug mode
Previously when debug mode was active, AWS and Azure credentials were displayed which is very insecure because Tekton logs could be archived for long time. Now only the first and last character of sensitive credentials are displayed. Signed-off-by: Pavol Pitonak <[email protected]>
1 parent d2428a8 commit bd048fb

20 files changed

+528
-176
lines changed

tkn/infra-aws-fedora.yaml

Lines changed: 24 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -140,10 +140,10 @@ spec:
140140
# Control params
141141
- name: debug
142142
description: |
143-
Warning setting this param to true expose credentials
143+
Warning setting this param to true exposes partially masked credentials
144144
145-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
146-
to easily access to remote machice
145+
The parameter is intended to add verbosity on the task execution and also print masked credentials
146+
(showing first and last character with *** in the middle) on stdout to help with debugging
147147
default: "false"
148148

149149
results:
@@ -179,17 +179,33 @@ spec:
179179
#!/bin/sh
180180
181181
set -euo pipefail
182-
# If debug add verbosity
183-
if [[ "$(params.debug)" == "true" ]]; then
184-
set -xeuo pipefail
185-
fi
186182
187-
# Credentials
183+
# Function to mask credentials (show first and last char, hide middle)
184+
mask_credential() {
185+
local cred="$1"
186+
local len=${#cred}
187+
if [ $len -le 2 ]; then
188+
echo "***"
189+
else
190+
echo "${cred:0:1}***${cred: -1}"
191+
fi
192+
}
193+
194+
# Credentials - set these BEFORE enabling debug mode
188195
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
189196
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
190197
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
191198
BUCKET=$(cat /opt/aws-credentials/bucket)
192199
200+
# If debug add verbosity and print masked credentials
201+
if [[ "$(params.debug)" == "true" ]]; then
202+
echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
203+
echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
204+
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
205+
echo "BUCKET=$BUCKET"
206+
set -xeuo pipefail
207+
fi
208+
193209
if [[ "$(params.operation)" == "create" ]]; then
194210
if [[ "$(params.ownerName)" == "" || "$(params.ownerUid)" == "" ]]; then
195211
echo "Parameter ownerName and ownerUid is required for create instance"

tkn/infra-aws-kind.yaml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -116,10 +116,10 @@ spec:
116116
# Control params
117117
- name: debug
118118
description: |
119-
Warning setting this param to true expose credentials
120-
121-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
122-
to easily access to remote machice
119+
Warning setting this param to true exposes partially masked credentials
120+
121+
The parameter is intended to add verbosity on the task execution and also print masked credentials
122+
(showing first and last character with *** in the middle) on stdout to help with debugging
123123
default: 'false'
124124
- name: timeout
125125
description: The Timeout value is a duration conforming to Go ParseDuration format. This will set a serverless destroy operation based on this.
@@ -152,17 +152,33 @@ spec:
152152
#!/bin/sh
153153
154154
set -euo pipefail
155-
# If debug add verbosity
156-
if [[ $(params.debug) == "true" ]]; then
157-
set -xeuo pipefail
158-
fi
159155
160-
# Credentials
156+
# Function to mask credentials (show first and last char, hide middle)
157+
mask_credential() {
158+
local cred="$1"
159+
local len=${#cred}
160+
if [ $len -le 2 ]; then
161+
echo "***"
162+
else
163+
echo "${cred:0:1}***${cred: -1}"
164+
fi
165+
}
166+
167+
# Credentials - set these BEFORE enabling debug mode
161168
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
162169
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
163170
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
164171
BUCKET=$(cat /opt/aws-credentials/bucket)
165172
173+
# If debug add verbosity and print masked credentials
174+
if [[ $(params.debug) == "true" ]]; then
175+
echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
176+
echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
177+
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
178+
echo "BUCKET=$BUCKET"
179+
set -xeuo pipefail
180+
fi
181+
166182
if [[ $(params.operation) == "create" ]]; then
167183
if [[ $(params.ownerName) == "" || $(params.ownerUid) == "" ]]; then
168184
echo "Parameter ownerName and ownerUid is required for create instance"

tkn/infra-aws-mac.yaml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -116,10 +116,10 @@ spec:
116116
# Control params
117117
- name: debug
118118
description: |
119-
Warning setting this param to true expose credentials
120-
121-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
122-
to easily access to remote machice
119+
Warning setting this param to true exposes partially masked credentials
120+
121+
The parameter is intended to add verbosity on the task execution and also print masked credentials
122+
(showing first and last character with *** in the middle) on stdout to help with debugging
123123
default: 'false'
124124

125125
results:
@@ -156,17 +156,33 @@ spec:
156156
#!/bin/sh
157157
158158
set -euo pipefail
159-
# If debug add verbosity
160-
if [[ $(params.debug) == "true" ]]; then
161-
set -xeuo pipefail
162-
fi
163159
164-
# Credentials
160+
# Function to mask credentials (show first and last char, hide middle)
161+
mask_credential() {
162+
local cred="$1"
163+
local len=${#cred}
164+
if [ $len -le 2 ]; then
165+
echo "***"
166+
else
167+
echo "${cred:0:1}***${cred: -1}"
168+
fi
169+
}
170+
171+
# Credentials - set these BEFORE enabling debug mode
165172
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
166173
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
167174
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
168175
BUCKET=$(cat /opt/aws-credentials/bucket)
169176
177+
# If debug add verbosity and print masked credentials
178+
if [[ $(params.debug) == "true" ]]; then
179+
echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
180+
echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
181+
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
182+
echo "BUCKET=$BUCKET"
183+
set -xeuo pipefail
184+
fi
185+
170186
if [[ $(params.operation) == "create" ]]; then
171187
if [[ $(params.ownerName) == "" || $(params.ownerUid) == "" ]]; then
172188
echo "Parameter ownerName and ownerUid is required for create instance"

tkn/infra-aws-ocp-snc.yaml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -131,10 +131,10 @@ spec:
131131
# Control params
132132
- name: debug
133133
description: |
134-
Warning setting this param to true expose credentials
135-
136-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
137-
to easily access to remote machice
134+
Warning setting this param to true exposes partially masked credentials
135+
136+
The parameter is intended to add verbosity on the task execution and also print masked credentials
137+
(showing first and last character with *** in the middle) on stdout to help with debugging
138138
default: 'false'
139139
- name: timeout
140140
description: The Timeout value is a duration conforming to Go ParseDuration format. This will set a serverless destroy operation based on this.
@@ -169,17 +169,33 @@ spec:
169169
#!/bin/sh
170170
171171
set -euo pipefail
172-
# If debug add verbosity
173-
if [[ $(params.debug) == "true" ]]; then
174-
set -xeuo pipefail
175-
fi
176172
177-
# Credentials
173+
# Function to mask credentials (show first and last char, hide middle)
174+
mask_credential() {
175+
local cred="$1"
176+
local len=${#cred}
177+
if [ $len -le 2 ]; then
178+
echo "***"
179+
else
180+
echo "${cred:0:1}***${cred: -1}"
181+
fi
182+
}
183+
184+
# Credentials - set these BEFORE enabling debug mode
178185
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
179186
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
180187
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
181188
BUCKET=$(cat /opt/aws-credentials/bucket)
182189
190+
# If debug add verbosity and print masked credentials
191+
if [[ $(params.debug) == "true" ]]; then
192+
echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
193+
echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
194+
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
195+
echo "BUCKET=$BUCKET"
196+
set -xeuo pipefail
197+
fi
198+
183199
if [[ $(params.operation) == "create" ]]; then
184200
if [[ $(params.ownerName) == "" || $(params.ownerUid) == "" ]]; then
185201
echo "Parameter ownerName and ownerUid is required for create instance"

tkn/infra-aws-rhel.yaml

Lines changed: 24 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -161,10 +161,10 @@ spec:
161161
# Control params
162162
- name: debug
163163
description: |
164-
Warning setting this param to true expose credentials
164+
Warning setting this param to true exposes partially masked credentials
165165
166-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
167-
to easily access to remote machice
166+
The parameter is intended to add verbosity on the task execution and also print masked credentials
167+
(showing first and last character with *** in the middle) on stdout to help with debugging
168168
default: "false"
169169

170170
results:
@@ -203,17 +203,33 @@ spec:
203203
#!/bin/sh
204204
205205
set -euo pipefail
206-
# If debug add verbosity
207-
if [[ "$(params.debug)" == "true" ]]; then
208-
set -xeuo pipefail
209-
fi
210206
211-
# Credentials
207+
# Function to mask credentials (show first and last char, hide middle)
208+
mask_credential() {
209+
local cred="$1"
210+
local len=${#cred}
211+
if [ $len -le 2 ]; then
212+
echo "***"
213+
else
214+
echo "${cred:0:1}***${cred: -1}"
215+
fi
216+
}
217+
218+
# Credentials - set these BEFORE enabling debug mode
212219
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
213220
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
214221
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
215222
BUCKET=$(cat /opt/aws-credentials/bucket)
216223
224+
# If debug add verbosity and print masked credentials
225+
if [[ "$(params.debug)" == "true" ]]; then
226+
echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
227+
echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
228+
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
229+
echo "BUCKET=$BUCKET"
230+
set -xeuo pipefail
231+
fi
232+
217233
if [[ $(params.operation) == "create" ]]; then
218234
if [[ $(params.ownerName) == "" || $(params.ownerUid) == "" ]]; then
219235
echo "Parameter ownerName and ownerUid is required for create instance"

tkn/infra-aws-windows-server.yaml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -118,10 +118,10 @@ spec:
118118
# Control params
119119
- name: debug
120120
description: |
121-
Warning setting this param to true expose credentials
122-
123-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
124-
to easily access to remote machice
121+
Warning setting this param to true exposes partially masked credentials
122+
123+
The parameter is intended to add verbosity on the task execution and also print masked credentials
124+
(showing first and last character with *** in the middle) on stdout to help with debugging
125125
default: 'false'
126126

127127
results:
@@ -159,17 +159,33 @@ spec:
159159
#!/bin/sh
160160
161161
set -euo pipefail
162-
# If debug add verbosity
163-
if [[ $(params.debug) == "true" ]]; then
164-
set -xeuo pipefail
165-
fi
166162
167-
# Credentials
163+
# Function to mask credentials (show first and last char, hide middle)
164+
mask_credential() {
165+
local cred="$1"
166+
local len=${#cred}
167+
if [ $len -le 2 ]; then
168+
echo "***"
169+
else
170+
echo "${cred:0:1}***${cred: -1}"
171+
fi
172+
}
173+
174+
# Credentials - set these BEFORE enabling debug mode
168175
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
169176
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
170177
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
171178
BUCKET=$(cat /opt/aws-credentials/bucket)
172179
180+
# If debug add verbosity and print masked credentials
181+
if [[ $(params.debug) == "true" ]]; then
182+
echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
183+
echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
184+
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
185+
echo "BUCKET=$BUCKET"
186+
set -xeuo pipefail
187+
fi
188+
173189
if [[ $(params.operation) == "create" ]]; then
174190
if [[ $(params.ownerName) == "" || $(params.ownerUid) == "" ]]; then
175191
echo "Parameter ownerName and ownerUid is required for create instance"

tkn/infra-azure-aks.yaml

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -110,10 +110,10 @@ spec:
110110
# Control params
111111
- name: debug
112112
description: |
113-
Warning setting this param to true expose credentials
114-
115-
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
116-
to easily access to remote machice
113+
Warning setting this param to true exposes partially masked credentials
114+
115+
The parameter is intended to add verbosity on the task execution and also print masked credentials
116+
(showing first and last character with *** in the middle) on stdout to help with debugging
117117
default: 'false'
118118

119119
results:
@@ -142,12 +142,20 @@ spec:
142142
script: |
143143
#!/bin/sh
144144
145-
# If debug add verbosity
146-
if [[ $(params.debug) == "true" ]]; then
147-
set -xuo
148-
fi
149-
150-
# Credentials
145+
set -euo pipefail
146+
147+
# Function to mask credentials (show first and last char, hide middle)
148+
mask_credential() {
149+
local cred="$1"
150+
local len=${#cred}
151+
if [ $len -le 2 ]; then
152+
echo "***"
153+
else
154+
echo "${cred:0:1}***${cred: -1}"
155+
fi
156+
}
157+
158+
# Credentials - set these BEFORE enabling debug mode
151159
export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id)
152160
export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id)
153161
export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id)
@@ -156,6 +164,18 @@ spec:
156164
export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key)
157165
BLOB=$(cat /opt/az-credentials/blob)
158166
167+
# If debug add verbosity and print masked credentials
168+
if [[ $(params.debug) == "true" ]]; then
169+
echo "ARM_TENANT_ID=$(mask_credential "$ARM_TENANT_ID")"
170+
echo "ARM_SUBSCRIPTION_ID=$(mask_credential "$ARM_SUBSCRIPTION_ID")"
171+
echo "ARM_CLIENT_ID=$(mask_credential "$ARM_CLIENT_ID")"
172+
echo "ARM_CLIENT_SECRET=$(mask_credential "$ARM_CLIENT_SECRET")"
173+
echo "AZURE_STORAGE_ACCOUNT=$(mask_credential "$AZURE_STORAGE_ACCOUNT")"
174+
echo "AZURE_STORAGE_KEY=$(mask_credential "$AZURE_STORAGE_KEY")"
175+
echo "BLOB=$BLOB"
176+
set -xeuo pipefail
177+
fi
178+
159179
if [[ $(params.operation) == "create" ]]; then
160180
if [[ $(params.ownerName) == "" || $(params.ownerUid) == "" ]]; then
161181
echo "Parameter ownerName and ownerUid is required for create instance"

0 commit comments

Comments
 (0)