-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SplunkLogDriverProps adds splunk-token to logging options instead of secretoptions #7264
Comments
I'm thinking that any LogDriver parameter should be able to be passed as a Secret. We have an existing (non-cdk) task-def that specifies both splunk-token and splunk-url using secretOptions, but it should extend to all options, regardless of driver. Right now it seems like splunk-token is the only option typed as a SecretValue, but I don't think that's right, given that it's the arn of the secret that we want to reference, not the value of the secret. I'd love to help address this, but I'm not sure what the best design would be. Especially not while preserving backwards compatibility. Allowing any option to be passed as a Secret would be nice, including granting the task execution role read access, just like secret environment variables are handled. |
…plunkLogDriver (#15408) ---- This PR closes [#7264](#7264). The `token` field of the Splunk log driver populates the `Options` property of the Log Configuration which leads to the secret being resolved to its value on deploying, and then the token is viewable in plain text in the console and may be stored in plain text elsewhere. Thus, we are deprecating the `token` field of the Splunk log driver and are introducing a new `secretToken` field. `secretToken` can be used to provide the Splunk token as a Secrets Manager Secret or a Systems Manager Parameter and will be populated in the `SecretOptions` property of the Log Configuration. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…plunkLogDriver (aws#15408) ---- This PR closes [aws#7264](aws#7264). The `token` field of the Splunk log driver populates the `Options` property of the Log Configuration which leads to the secret being resolved to its value on deploying, and then the token is viewable in plain text in the console and may be stored in plain text elsewhere. Thus, we are deprecating the `token` field of the Splunk log driver and are introducing a new `secretToken` field. `secretToken` can be used to provide the Splunk token as a Secrets Manager Secret or a Systems Manager Parameter and will be populated in the `SecretOptions` property of the Log Configuration. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…plunkLogDriver (aws#15408) ---- This PR closes [aws#7264](aws#7264). The `token` field of the Splunk log driver populates the `Options` property of the Log Configuration which leads to the secret being resolved to its value on deploying, and then the token is viewable in plain text in the console and may be stored in plain text elsewhere. Thus, we are deprecating the `token` field of the Splunk log driver and are introducing a new `secretToken` field. `secretToken` can be used to provide the Splunk token as a Secrets Manager Secret or a Systems Manager Parameter and will be populated in the `SecretOptions` property of the Log Configuration. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Bug Description
When creating a Task Definition and adding a SplunkLogDriver, a
token
property can be provided. Thetoken
is a secret value. In our case, we're providing the token from SecretsManager as a SecretValue per the cdk API spec.In Cloudformation this would be provided to the Task Definition through
secretOptions
rather thanoptions
, and the secret would be hidden from the user in the ECS Console UI.(See docs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html)
When doing the same through CDK, the token is added to the
Options
property, and so the secret is resolved from Secrets Manager as expected, but then is plainly displayed as a string in the ECS console UI. This can also be confirmed by examining the output cloudformationReproduction Steps
Sample CDK code to reproduce the issue:
Error Log
Excerpt from the output cloudformation template after doing
cdk synthesize
. Notice that the splunk-token appears underOptions
, notSecretOptions
.Environment
Other
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: