cicd/login-action
1
0
Fork 0
mirror of https://github.com/docker/login-action.git synced 2025-10-31 01:40:11 +08:00
Code Issues Projects Wiki Activity

aws: ensure temp credentials redacted in workflow logs

Browse Source 
Just for good measure and extra safety, redact temporary
credentials when aws authorization token is retrieved using
IAM authentication credentials to access Amazon ECR.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2022-09-09 00:05:45 +02:00
parent be010b4293
commit 07cad18854
No known key found for this signature in database
GPG Key ID: 3248E46B6BB8C7F7
3 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dist/index.js generated vendored
View File

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored
View File

File diff suppressed because one or more lines are too long

4
src/aws.ts
View File

@ -96,6 +96,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
} }
const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8'); const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8');
const creds = authToken.split(':', 2); const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
return [ return [
{ {
registry: 'public.ecr.aws', registry: 'public.ecr.aws',
@ -122,6 +124,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
for (const authData of authTokenResponse.authorizationData) { for (const authData of authTokenResponse.authorizationData) {
const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8'); const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
const creds = authToken.split(':', 2); const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
regDatas.push({ regDatas.push({
registry: authData.proxyEndpoint || '', registry: authData.proxyEndpoint || '',
username: creds[0], username: creds[0],