sixtyfour icon indicating copy to clipboard operation
sixtyfour copied to clipboard
Published 8 months ago • verified publisher icon getwilds

Hide secrets?

Open sckott opened this issue 1 year ago • 3 comments

In making a demo for this pkg, we talked about whether or not to hide secrets in the live demo and video to be made.

It's not terribly difficult to do so, but the big issue is that IF the use case for the function is creating secrets, then you can only see them once, so redacting them when created is a no go.

However, we could redact secrets for functions that may show secrets that already exist. I don't know off hand right now if there are any, but we could make a list of them if we want to do this.

cc @seankross

sckott avatar Jul 31 '24 16:07 sckott

This is a good question, I don't know the answer though. Sort of related: is there a good way for an end user to check if sixtyfour is aware of the credentials they're using?

seankross avatar Jul 31 '24 17:07 seankross

is there a good way for an end user to check if sixtyfour is aware of the credentials they're using?

That's not easy right now. paws supports a bunch of different ways of pulling in credentials, and the package AFAIK doesn't provide a way to easily get those credentials or at least say what credentials are being used, etc.

sckott avatar Jul 31 '24 17:07 sckott

There is

pkgload::load_all()
sts_con <- con_factory("sts")()
sts_con$get_caller_identity()

$UserId
[1] "xxxx"

$Account
[1] "xxxx"

$Arn
[1] "arn:aws:iam::xxx:user/xxx"

Which answers the question:

Are the credentials sixtyfour knows about valid with AWS?

But does not answer your question of

is there a good way for an end user to check if sixtyfour is aware of the credentials they're using?

There's hacky ways to get credentials that sixtyfour knows about (for any of the various paws R6 clients):

pkgload::load_all()
sts_con <- con_factory("sts")()
sts_con$.internal$config$credentials$provider[[2]]()

$access_key_id
[1] "xxxx"

$secret_access_key
[1] "xxxx"

$session_token
[1] ""

$access_token
[1] ""

$expiration
[1] Inf

$provider_name
[1] ""

attr(,"class")
[1] "struct"

But maybe we can roll that up into a nicer fxn?

I don't know if calling that internal method would cover all credential methods though

Where STS is the Security Token Service, and the caller identity method is at https://www.paws-r-sdk.com/docs/sts_get_caller_identity/

sckott avatar Aug 01 '24 22:08 sckott