auth0-deploy-cli
auth0-deploy-cli copied to clipboard
auth0
Do not output a secret to log-streams
Describe the problem you'd like to have solved
I found a secret is exported in log-streams setting. For example, if we set up a log stream for Datadog, then datadogApiKey is exported.
{
"name": "Datadog",
"type": "datadog",
"status": "active",
"sink": {
"datadogApiKey": "...",
"datadogRegion": "us"
}
}
I don't want to dump a secret into a file because it increases the risk of leakage.
Describe the ideal solution
So far, a secret has not been dumped by auth0-deploy-cli, and we use the management console to set this. for example
- configuration for Rules
- secrets for Actions
I think log-stream setting should be the same as these.
Alternatives and current work-arounds
A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
Additional context
Add any other context or screenshots about the feature request here.
This is a reasonable request. Normally, it would be a one-liner to add the API key to the list of keys to obfuscate but it's going to require some work on the API-side due to some peculiar validations on that endpoint. I've reached out to that team for support but until that gets resolved, implementing a fix is blocked. I'll be sure to provide updates as I get them.
Just found this as well. This has been open since July of '22, is there a team working on this at all? For a security related issue, in a security adjacent company, this seems like misstep.
Update: Again, I admit that this is a real security issue and could cause trouble for unsuspecting users. I've escalated this to our security team, who are interested in getting this addressed. I've also recategorized this as a bug (despite this being an API limitation). Don't have any additional details though, but will update as I get them. Hoping to have this addressed soon!