From f6688b37dddbc4f083685398ca0f9491ce179c31 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 13 Mar 2021 21:26:47 +0100 Subject: [PATCH] Backport of https://github.com/ansible-collections/community.aws/pull/475. --- changelogs/fragments/community.aws-475-no_log-missing.yml | 4 ++++ .../cloud/amazon/aws_direct_connect_virtual_interface.py | 2 +- lib/ansible/modules/cloud/amazon/sts_assume_role.py | 2 +- lib/ansible/modules/cloud/amazon/sts_session_token.py | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/community.aws-475-no_log-missing.yml diff --git a/changelogs/fragments/community.aws-475-no_log-missing.yml b/changelogs/fragments/community.aws-475-no_log-missing.yml new file mode 100644 index 00000000000000..c07ab112ad2091 --- /dev/null +++ b/changelogs/fragments/community.aws-475-no_log-missing.yml @@ -0,0 +1,4 @@ +security_fixes: +- "aws_direct_connect_virtual_interface - mark the ``authentication_key`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475)." +- "sts_assume_role - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475)." +- "sts_session_token - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475)." diff --git a/lib/ansible/modules/cloud/amazon/aws_direct_connect_virtual_interface.py b/lib/ansible/modules/cloud/amazon/aws_direct_connect_virtual_interface.py index d0f20bd35a5139..28571cfca8af3e 100644 --- a/lib/ansible/modules/cloud/amazon/aws_direct_connect_virtual_interface.py +++ b/lib/ansible/modules/cloud/amazon/aws_direct_connect_virtual_interface.py @@ -451,7 +451,7 @@ def main(): name=dict(), vlan=dict(type='int', default=100), bgp_asn=dict(type='int', default=65000), - authentication_key=dict(), + authentication_key=dict(no_log=True), amazon_address=dict(), customer_address=dict(), address_type=dict(), diff --git a/lib/ansible/modules/cloud/amazon/sts_assume_role.py b/lib/ansible/modules/cloud/amazon/sts_assume_role.py index 0a263fccd414f1..88e73ef374de5f 100644 --- a/lib/ansible/modules/cloud/amazon/sts_assume_role.py +++ b/lib/ansible/modules/cloud/amazon/sts_assume_role.py @@ -162,7 +162,7 @@ def main(): external_id=dict(required=False, default=None), policy=dict(required=False, default=None), mfa_serial_number=dict(required=False, default=None), - mfa_token=dict(required=False, default=None) + mfa_token=dict(required=False, default=None, no_log=True) ) ) diff --git a/lib/ansible/modules/cloud/amazon/sts_session_token.py b/lib/ansible/modules/cloud/amazon/sts_session_token.py index fa64f5ada9108e..3bc7701766fef5 100644 --- a/lib/ansible/modules/cloud/amazon/sts_session_token.py +++ b/lib/ansible/modules/cloud/amazon/sts_session_token.py @@ -133,7 +133,7 @@ def main(): dict( duration_seconds=dict(required=False, default=None, type='int'), mfa_serial_number=dict(required=False, default=None), - mfa_token=dict(required=False, default=None) + mfa_token=dict(required=False, default=None, no_log=True) ) )