Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: check for accidental exposure of secrets #19543

Merged
merged 28 commits into from
Apr 11, 2022
Merged

feat: check for accidental exposure of secrets #19543

merged 28 commits into from
Apr 11, 2022

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Mar 24, 2022
edited
Loading

Introduces the following changes to secrets handling:

  • Deprecate SecretValue.plainText() in favor of SecretValue.unsafePlainText() to highlight its issues
  • Introduce SecretValue.resourceAttribute() for cases where we know we want to use a value produced at deployment time
  • Introduce a new feature flag (@aws-cdk/core:checkSecretUsage) which, when enabled, will make it impossible to use secrets without explicitly unwrapping them first (secretValue.unsafeUnwrap). This prevents people from naively sticking secrets into vulnerable locations like environment variables.
  • Deprecate secretsmanager.SecretStringValueBeta1 in favor of just accepting a SecretValue.

Since this behavior would constitute a breaking change, it will only be enabled if the feature flag @aws-cdk/core:checkSecretUsage is turned on.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr rix0rrr self-assigned this Mar 24, 2022
@gitpod-io
Copy link

gitpod-io bot commented Mar 24, 2022

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 24, 2022
@rix0rrr rix0rrr added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Mar 25, 2022
@github-actions github-actions bot added the p2 label Mar 25, 2022
@rix0rrr rix0rrr marked this pull request as ready for review March 25, 2022 10:54
@rix0rrr rix0rrr changed the title fix: secret values can be accidentally exposed feat: add feature flag to check for accidental exposure of secrets Mar 25, 2022
@rix0rrr rix0rrr changed the title feat: add feature flag to check for accidental exposure of secrets feat: feature flag checks for accidental exposure of secrets Mar 25, 2022
@rix0rrr rix0rrr added the pr-linter/exempt-readme The PR linter will not require README changes label Mar 25, 2022
madeline-k
madeline-k suggested changes Apr 2, 2022
View reviewed changes
Copy link
Contributor

@madeline-k madeline-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, I agree with the change, design, and the feature flag. I have a few questions and comments.

packages/@aws-cdk/core/README.md Show resolved Hide resolved
packages/@aws-cdk/core/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2/test/integ.vpn-pre-shared-key-token.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-amplify/lib/basic-auth.ts Show resolved Hide resolved
packages/@aws-cdk/aws-ecs/lib/log-drivers/utils.ts Outdated
Comment on lines 75 to 77
function isSecretValue(x: any): x is SecretValue {
return typeof x === 'object' && x && 'unsafeUnwrap' in x;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a static function on SecretValue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only if we need it in more than one place.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm okay. If we don't put it into SecretValue right now, I think we risk other people re-implementing the same thing in other places.

packages/@aws-cdk/aws-redshift/lib/cluster.ts Show resolved Hide resolved
packages/@aws-cdk/aws-secretsmanager/lib/secret.ts Show resolved Hide resolved
packages/@aws-cdk/aws-secretsmanager/lib/secret.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/secret-value.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/core/lib/resolvable.ts Outdated Show resolved Hide resolved
rix0rrr and others added 8 commits April 3, 2022 11:23
@rix0rrr rix0rrr changed the title feat: feature flag checks for accidental exposure of secrets feat: check for accidental exposure of secrets Apr 4, 2022
@madeline-k madeline-k added the pr/do-not-merge This PR should not be merged at this time. label Apr 8, 2022
madeline-k
madeline-k approved these changes Apr 8, 2022
View reviewed changes
Copy link
Contributor

@madeline-k madeline-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, but added the do-not-merge label in case you want to move isSecretValue() to SecretValue.

packages/@aws-cdk/aws-ecs/lib/log-drivers/utils.ts Outdated
Comment on lines 75 to 77
function isSecretValue(x: any): x is SecretValue {
return typeof x === 'object' && x && 'unsafeUnwrap' in x;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm okay. If we don't put it into SecretValue right now, I think we risk other people re-implementing the same thing in other places.

@rix0rrr rix0rrr removed the pr/do-not-merge This PR should not be merged at this time. label Apr 11, 2022
@mergify
Copy link
Contributor

mergify bot commented Apr 11, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 91ed58f
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 789e8d2 into master Apr 11, 2022
@mergify mergify bot deleted the huijbers/secret-values branch April 11, 2022 09:22
@mergify
Copy link
Contributor

mergify bot commented Apr 11, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

otaviomacedo pushed a commit that referenced this pull request Apr 11, 2022
@rix0rrr @otaviomacedo
feat: check for accidental exposure of secrets (#19543)
ab3c740 
Introduces the following changes to secrets handling:

- Deprecate `SecretValue.plainText()` in favor of `SecretValue.unsafePlainText()` to highlight its issues
- Introduce `SecretValue.resourceAttribute()` for cases where we know we want to use a value produced at deployment time
- Introduce a new feature flag (`@aws-cdk/core:checkSecretUsage`) which, when enabled, will make it impossible to use secrets without explicitly unwrapping them first (`secretValue.unsafeUnwrap`). This prevents people from naively sticking secrets into vulnerable locations like environment variables.
- Deprecate `secretsmanager.SecretStringValueBeta1` in favor of just accepting a `SecretValue`.

Since this behavior would constitute a breaking change, it will only be enabled if the feature flag `@aws-cdk/core:checkSecretUsage` is turned on.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
StevePotter pushed a commit to StevePotter/aws-cdk that referenced this pull request Apr 27, 2022
@rix0rrr
feat: check for accidental exposure of secrets (aws#19543)
f0a5a90 
Introduces the following changes to secrets handling:

- Deprecate `SecretValue.plainText()` in favor of `SecretValue.unsafePlainText()` to highlight its issues
- Introduce `SecretValue.resourceAttribute()` for cases where we know we want to use a value produced at deployment time
- Introduce a new feature flag (`@aws-cdk/core:checkSecretUsage`) which, when enabled, will make it impossible to use secrets without explicitly unwrapping them first (`secretValue.unsafeUnwrap`). This prevents people from naively sticking secrets into vulnerable locations like environment variables.
- Deprecate `secretsmanager.SecretStringValueBeta1` in favor of just accepting a `SecretValue`.

Since this behavior would constitute a breaking change, it will only be enabled if the feature flag `@aws-cdk/core:checkSecretUsage` is turned on.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@kbakk kbakk mentioned this pull request Apr 28, 2022
Closed
@MrArnoldPalmer MrArnoldPalmer mentioned this pull request Jan 27, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@madeline-k madeline-k madeline-k approved these changes

Assignees

@rix0rrr rix0rrr

Labels
contribution/core This is a PR that came from AWS. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rix0rrr @aws-cdk-automation @madeline-k