kestra icon indicating copy to clipboard operation
kestra copied to clipboard

Published 20 hours ago verified publisher icon kestra-io

Mask the value of SECRET-type input if accidentally exposed in the logs

Open janorga opened this issue 5 months ago • 3 comments

Describe the issue

When a SECRET is asked by inputs it is leaked at logs when it is used as {{inputs.password}} (see the example below).

In the example below, in Kestra task logs export SUPER_PASSWORD=<the_plain_password_here> the input (secret) is shown in plain. This should be masked.

id: test_input_secret
namespace: test

inputs:
  - id: username
    type: STRING

  - id: password
    type: SECRET

tasks:
  - id: commands_task
    type: io.kestra.plugin.scripts.shell.Commands
    taskRunner:
      type: io.kestra.plugin.scripts.runner.docker.Docker
      pullPolicy: ALWAYS
      entryPoint: []
    containerImage: "ubuntu:latest"
    namespaceFiles:
      enabled: true
    commands:
      - export SUPER_PASSWORD={{ inputs.password }}

Environment

  • Kestra Version: v0.18.9
  • Operating System (OS/Docker/Kubernetes): Kubernetes RKE2

janorga avatar Oct 01 '24 11:10 janorga