custom-resources: Provider logs Data from response with NoEcho: true #30275

cgatt · 2024-05-20T09:25:43Z

Describe the bug

When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.

Expected Behavior

When the custom resource response has NoEcho: true, the log output from the Provider function should redact the values from the Data object.

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "***",
        "clientSecret": "***"
    },
    "Status": "SUCCESS"
}

Current Behavior

The provider function logged the full Data payload

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "3a415657c61047fe9b790501254",
        "clientSecret": "475343b8<manually redacted>"
    },
    "Status": "SUCCESS"
}

Reproduction Steps

import { App, Stack } from 'aws-cdk-lib';
import { Provider } from 'aws-cdk-lib/custom-resources';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';

const app = new App();
const stack = new Stack(app, 'cr-demo-stack');

const handler = new Function(stack , 'my-handler', {
  runtime: Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: Code.fromInline(`
  exports.handler = async (event, context) => {
    return {
      PhysicalResourceId: '1234',
      NoEcho: true,
      Data: {
        mySecret: 'secret-value',
      },
    };
  };`),
});

const provider = new Provider(stack , 'my-provider', {
  onEventHandler: handler,
});

new CustomResource(stack , 'my-cr', {
  serviceToken: provider.serviceToken,
});

Deploy this stack and you can see the following log:

[provider-framework] event: {
  "PhysicalResourceId": "1234",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}
[provider-framework] submit response to cloudformation <stack-id> {
  "Status": "SUCCESS",
  "Reason": "SUCCESS",
  "StackId": "<stack-id>",
  "RequestId": "bab8ac9b-c6a7-45d4-9828-71dc260ebef7",
  "PhysicalResourceId": "1234",
  "LogicalResourceId": "clientapplication",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}

Possible Solution

Add logic to the provider handler code to redact the Data object if NoEcho = true

Add properties to the Provider construct to redact some/all of the ResourceProperties from the provider logs.

Additional Information/Context

No response

CDK CLI Version

2.133.0 (build dcc1e75)

Framework Version

2.133.0

Node.js Version

20

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2024-05-21T22:20:29Z

If you are using CustomResource Provider Framework, at this moment, there's no way to turn off the logging:

aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/framework.ts

Line 38 in 32e9b02

log('event:', onEventResult);

If you use AwsCustomResource, you can disable not logging the Data object with Logging.withDataHidden(). See here for more details.

Looks like you are using custom CustomResource Provider Framework?

pahud · 2024-05-21T22:21:11Z

Making it a p1 feature request to disable the logging for the CR provider framework.

github-actions · 2024-07-16T00:48:44Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions · 2024-07-16T00:48:48Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

aws-cdk-automation · 2024-07-25T21:07:12Z

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

cgatt added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 20, 2024

github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label May 20, 2024

khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels May 20, 2024

khushail self-assigned this May 21, 2024

pahud added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 21, 2024

pahud added p1 feature-request A feature should be added or improved. and removed bug This issue is a bug. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels May 21, 2024

khushail removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label May 22, 2024

khushail removed their assignment May 22, 2024

pahud added the effort/medium Medium work item – several days of effort label May 22, 2024

This was referenced May 27, 2024

Weekly issue metrics report #30347

Closed

Monthly issue metrics report #30413

Closed

GavinZZ self-assigned this Jun 25, 2024

GavinZZ mentioned this issue Jun 26, 2024

fix(custom-resources): provider framework will always log all data including confidential data #30689

Merged

1 task

mergify bot closed this as completed in #30689 Jul 16, 2024

mergify bot closed this as completed in 9bd92da Jul 16, 2024

aws locked as resolved and limited conversation to collaborators Jul 25, 2024

moelasmar removed p1 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort labels Aug 16, 2024

moelasmar added p1 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort @aws-cdk/custom-resources Related to AWS CDK Custom Resources and removed @aws-cdk/custom-resources Related to AWS CDK Custom Resources labels Aug 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

custom-resources: Provider logs Data from response with NoEcho: true #30275

custom-resources: Provider logs Data from response with NoEcho: true #30275

cgatt commented May 20, 2024 •

edited

Loading

pahud commented May 21, 2024

pahud commented May 21, 2024

github-actions bot commented Jul 16, 2024

github-actions bot commented Jul 16, 2024

aws-cdk-automation commented Jul 25, 2024

custom-resources: Provider logs Data from response with NoEcho: true #30275

custom-resources: Provider logs Data from response with NoEcho: true #30275

Comments

cgatt commented May 20, 2024 • edited Loading

Describe the bug

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

CDK CLI Version

Framework Version

Node.js Version

OS

Language

Language Version

Other information

pahud commented May 21, 2024

pahud commented May 21, 2024

github-actions bot commented Jul 16, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

github-actions bot commented Jul 16, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

aws-cdk-automation commented Jul 25, 2024

cgatt commented May 20, 2024 •

edited

Loading