jason-johnson
Severe Security flaw: OIDC Token printed as Plain text in the pipeline run log for Service Connections configured with Workload Identity Federation
Describe the bug TerraformCLI@1 task prints the OIDC token as is in plain text when performing init, plan and apply, which is a serious security risk! as anyone having pipeline read access can simply copy paste the token to mimic the App-Reg and gets its access in azurerm.
To Reproduce Steps to reproduce the behavior:
- task: TerraformCLI@1
name: terraformPlan
displayName: "Terraform: Plan"
inputs:
command: plan
environmentServiceName: test-wif-sc
providerAzureRmSubscriptionId: "xxxx"
runAzLogin: true
allowTelemetryCollection: false
This prints the token in run log
Expected behavior
Token should be masked like the username!
Screenshots
If applicable, add screenshots to help explain your problem.
Pipeline Logs Include logs that help demonstrate the problem. Please make sure to redact any sensitive info such as secrets. Can't attach due to sensitive content! Agent Configuration
- OS: ubuntu
- Self Hosted
- Terraform version used 1.7.5
- AzureCLI version used Additional context Add any other context about the problem here.
For me the token is hidden in every place I checked. I don't have a self hosted agent to check on though.
Thanks for looking into this @jason-johnson . Can we get anyone from Microsoft to try and reproduce this issue? They should have plenty of self hosted runners :D Ping @jaredfholgate
Thanks for looking into the issue. I validated recently on the latest versions and can no longer see the tokens! Looks it's fixed in one of the recent releases. This issue is good to close :)