amazon-ecr-login icon indicating copy to clipboard operation
amazon-ecr-login copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Add option to not show a warning if mask-password is not set or false

Open pascalgulikers opened this issue 10 months ago • 1 comments

Is your feature request related to a problem? Please describe. Due to PR https://github.com/aws-actions/amazon-ecr-login/pull/492, the workflow shows a warning that docker credentials are not masked. But in the case the workflow needs them unmasked (to pass to another job for instance), you might not want to inform the users of the (reusable) workflow that they can find those credentials in the logs.

Describe the solution you'd like Add an option show-mask-warning: true/false, default true, so one can decide to show this warning or not. If you deliberately choose to not mask credentials, then these warnings are unnecessary.

Describe alternatives you've considered

Additional context When you have a job which has to pull a base image from ECR, you can't use the amazon-ecr-login action in the same job, hence you have to do it in a prior job and pass the docker credentials to the next job. For example:

job-1:
    runs-on: ubuntu-latest
    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}
      docker_username: ${{ steps.login-ecr.outputs[format('docker_username_{0}_dkr_ecr_eu_central_1_amazonaws_com', xxxxxxxx)] }}
      docker_password: ${{ steps.login-ecr.outputs[format('docker_password_{0}_dkr_ecr_eu_central_1_amazonaws_com', xxxxxxxx)] }}

   steps:
      * prior steps like aws-actions/configure-aws-credentials@v2 *
      
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
        with:
           mask-password: false
           **show-mask-warning: false**   <-- new option

job-2:
    runs-on: ubuntu-latest
    needs: [ job-1]
    container: 
      image: ***.dkr.ecr.eu-central-1.amazonaws.com/our_custom_baseimage:latest
      credentials:
        username: ${{ needs.job-1.outputs.docker_username }}
        password: ${{ needs.job-1.outputs.docker_password }}

pascalgulikers avatar Aug 10 '23 09:08 pascalgulikers

I think this request could be translated as I want to leave my door unlocked when I go on vacation, but I don't want a sign in my yard that tells criminals that I'm gone and they can let themselves in.

Security through obscurity is no security at all. If you want to allow users to log their credentials in plain text, at least don't make it the default behavior: https://github.com/aws-actions/amazon-ecr-login/issues/495

lounsbrough avatar Aug 17 '23 15:08 lounsbrough