Credentials are leaked to the console with malformed JSON input

[zhimsel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.1.3
on darwin_amd64
+ provider registry.terraform.io/carlpett/sops v0.7.0
+ provider registry.terraform.io/hashicorp/google v4.14.0

Affected Resource(s)

Provider configuration (the provider "google" {} block).

Terraform Configuration Files

data "sops_file" "credentials" {
  source_file = "/path/to/file.sops.yaml"
}

provider "google" {
  project     = "foobar"
  credentials = data.sops_file.credentials.data["path.to.yaml.object"]
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

Provide an error to the user in a way that doesn't compromise the user's credentials.

Actual Behavior

The error outputs the failed/malformed credentials in plain text to the console. This is obviously a serious security concern as Terraform is often run by CI systems that will output plan results and errors to non-secure communications platforms when they run.

This caused one of my organization's GCP credentials to be leaked (requiring rotation) when our Atlantis instance included the error message in a Github PR comment when trying to plan multiple affected states.

This is the (redacted) output that was produced:

│ Error: JSON credentials in "{\n  \"type\": \"service_account\",\n  \"project_id\": \"foobar\",\n
\"private_key_id\": \"REDACTED\",\n  \"private_key\": \"REDACTED\",\n  \"client_email\":
\"REDACTED\",\n  \"client_id\": \"REDACTED\",\n  \"auth_uri\":
\"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\":
\"https://oauth2.googleapis.com/token\",\n  \"auth_provider_x509_cert_url\":
\"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\":
\"https://www.googleapis.com/robot/v1/metadata/x509/REDACTED\"\n}\n\n# \"read-only\" service
account\n# https://console.cloud.google.com/iam-admin/serviceaccounts/details/REDACTED" are not valid: invalid character '#' after top-level value

Steps to Reproduce

1. Create a file containing JSON GCP credentials, but with something malformed
2. Try to plan a state that uses those credentials

Important Factoids

The code responsible is in the validateCredentials function in the google provider module (Lines 1505 as of v4.14.0).

References

I'll be submitting a PR to remove the credentials from the error message shortly.
#11599

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.