taupage icon indicating copy to clipboard operation
taupage copied to clipboard

Published 20 hours ago verified publisher icon zalando-stups

Mask all environment variable values which are KMS encrypted

Open hjacobs opened this issue 9 years ago • 3 comments

Mask all environment variable values which are KMS encrypted, regardless of their name.

hjacobs avatar Jun 23 '15 16:06 hjacobs

I think it is a security bug, not an enhancement. Currently KMS encrypted keys are logged in plain text within docker run command. With logs search service like scalyr it means we leak private keys to 3rd party.

AlexanderYastrebov avatar Oct 04 '17 09:10 AlexanderYastrebov

@AlexanderYastrebov only if it does not match the name pattern, see here: https://github.com/zalando-stups/taupage/blob/09f198628ff58ca5cf3e5d6265656ae2969a7221/runtime/usr/local/lib/python3.4/dist-packages/taupage/init.py#L86, i.e. if your environment variable is MYPASS or MYSECRETSTUFF it should be masked already.

hjacobs avatar Oct 04 '17 11:10 hjacobs

@hjacobs Thanks, I will evaluate this, but I consider it as a workaround whereas subject is the exact problem - kms stuff should be masked mandatory

AlexanderYastrebov avatar Oct 04 '17 16:10 AlexanderYastrebov