configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Don't hide account ID in Actions logs by default

Open danielcompton opened this issue 3 years ago • 3 comments

According to https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/ which was confirmed with AWS:

“Account IDs are not considered sensitive. Based on your feedback, we’ve started updating our documentation to make this more clear.”

danielcompton avatar Jun 20 '22 03:06 danielcompton

Thanks for the feature request @danielcompton, the request makes a lot of sense.

This is something we won't want to implement until we release a new major version however. I'm concerned that customers using v1 who are still concerned with their account id security may be caught off-guard by this sudden change if we were to implement this in our current major version. We already document and support the option to unmask the value, so the benefit this brings isn't quite worth the risk of altering the functionality in a non-major version release imo. I'll be closing the PR you've been so helpful to contribute, thanks for letting us know about this desired functionality 🙂

peterwoodworth avatar Oct 04 '22 20:10 peterwoodworth

We already document and support the option to unmask the value

@peterwoodworth where is that option?

RyPeck avatar Oct 05 '22 20:10 RyPeck

@RyPeck I was wrong about us documenting it, we have an issue open tracking adding this to our docs

You can use mask-aws-account-id and set it to false. I'll see about getting an example up on our readme next week probably

peterwoodworth avatar Oct 07 '22 20:10 peterwoodworth

Is there an ETA for the next major version (presumably v2)? Debating whether to chase around updating the mask-flag, vs picking up the v2 update...timing will drive the configuration vs convention play.

mike-dodge-eq avatar Nov 01 '22 19:11 mike-dodge-eq

There's not really an ETA yet @mike-dodge-eq. I would expect it to arrive within a couple months, but no promises

peterwoodworth avatar Nov 01 '22 22:11 peterwoodworth

I'm seeing some odd behavior related to this.

Run aws-actions/[email protected]
  with:
    role-to-assume: arn:aws:iam::505480154940:role/ci_agent_role
    role-duration-seconds: 1200
    role-skip-session-tagging: true
    aws-access-key-id: ***
    aws-secret-access-key: ***
    aws-region: ***
    mask-aws-account-id: false
    audience: sts.amazonaws.com
  env:
    REGISTRY: 505480154940.dkr.ecr.***.amazonaws.com
(node:1632) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
1s
0s
0s
0s
Evaluate and set job outputs
Warning: Skip output 'registry' since it may contain secret.
Set output 'docker_username'
Set output 'docker_password'
Cleaning up orphan processes

Even though I've used the make-aws-account-id parameter, it's still being masked.

jmeekhof avatar Jun 29 '23 22:06 jmeekhof

v3 does not mask the account id by default 🙂

peterwoodworth avatar Aug 24 '23 21:08 peterwoodworth

** Note ** Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Aug 24 '23 21:08 github-actions[bot]