Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redact s3 credential values when printing config to logs #5961

Merged
merged 1 commit into from
Apr 21, 2022
Merged

redact s3 credential values when printing config to logs #5961

merged 1 commit into from
Apr 21, 2022

Conversation

afayngelerindbx
Copy link
Contributor

@afayngelerindbx afayngelerindbx commented Apr 19, 2022
edited
Loading

What this PR does / why we need it:
This PR makes sure that we don't commit S3 credential values to logs when using -print-config-stderr and -log-config-reverse-order flags.

Checklist

  • Tests updated
  • Add an entry in the CHANGELOG.md about the changes.

@afayngelerindbx afayngelerindbx requested a review from a team as a code owner April 19, 2022 17:16
@afayngelerindbx afayngelerindbx force-pushed the redact-s3-cred branch 2 times, most recently from d413498 to 50b97af Compare April 19, 2022 17:56
kavirajk
kavirajk reviewed Apr 20, 2022
View reviewed changes
pkg/storage/chunk/client/aws/s3_storage_client.go
@@ -69,8 +85,8 @@ type S3Config struct {
BucketNames string
Endpoint string `yaml:"endpoint"`
Region string `yaml:"region"`
AccessKeyID string `yaml:"access_key_id"`
SecretAccessKey string `yaml:"secret_access_key"`
AccessKeyID secret `yaml:"access_key_id"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm failing to understand how this will redact when printing these configs in logs. Can you clarify?

  1. Can you tell me where exactly it's getting logged?
  2. Even with this change, if we log the config (either logfmt or json), it's still going to be visible correct?
  3. Only advantage of adding this secret type I see is when we print the config after marshalling into YAML, it won't be visible. Is that your real use case? can you help me understand how it's useful?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking a look!

When I set the -print-config-stderr or -log-config-reverse-order, loki marshals the config to YAML and dumps it to stderr. This diff forces S3 credentials to be redacted from this output. I will update the PR description as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For reference, loki prints config using this function here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @afayngelerindbx for the clarification :)

kavirajk
kavirajk approved these changes Apr 21, 2022
View reviewed changes
Copy link
Contributor

@kavirajk kavirajk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kavirajk kavirajk merged commit c0f51b9 into grafana:main Apr 21, 2022
This was referenced Jun 28, 2022
Closed
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kavirajk kavirajk kavirajk approved these changes

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@afayngelerindbx @kavirajk