actuators/machine/instances.go: add logging for KMS key reference

- When using the ARN for KMS key, the log output doesn't include the ARN value as it contains the AWS account ID which is usually sensitive. - This current setup doesn't have a great way to tie EBS volume to the machine object, and therefore this log will be difficult to tie back to the machine object. which reduces the value to some degree.
openshift · Mar 16, 2020 · 09f91d9 · 09f91d9
1 parent 2d397b5
commit 09f91d9
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/pkg/actuators/machine/instances.go b/pkg/actuators/machine/instances.go
@@ -214,8 +214,10 @@ func getBlockDeviceMappings(blockDeviceMappings []providerconfigv1.BlockDeviceMa
 	}
 
 	if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ID) != "" {
+		klog.V(3).Infof("Using KMS key ID %q for encrypting EBS volume", *blockDeviceMappings[0].EBS.KMSKey.ID)
 		blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ID
 	} else if aws.StringValue(blockDeviceMappings[0].EBS.KMSKey.ARN) != "" {
+		klog.V(3).Info("Using KMS key ARN for encrypting EBS volume") // ARN usually have account ids, therefore are sensitive data so shouldn't log the value
 		blockDeviceMapping.Ebs.KmsKeyId = blockDeviceMappings[0].EBS.KMSKey.ARN
 	}