aws: ensure temp credentials redacted in workflow logs

Just for good measure and extra safety, redact temporary credentials when aws authorization token is retrieved using IAM authentication credentials to access Amazon ECR. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
docker · Sep 8, 2022 · 07cad18 · 07cad18
1 parent be010b4
commit 07cad18
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/aws.ts b/src/aws.ts
@@ -96,6 +96,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
     }
     const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8');
     const creds = authToken.split(':', 2);
+    core.setSecret(creds[0]); // redacted in workflow logs
+    core.setSecret(creds[1]); // redacted in workflow logs
     return [
       {
         registry: 'public.ecr.aws',
@@ -122,6 +124,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
     for (const authData of authTokenResponse.authorizationData) {
       const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
       const creds = authToken.split(':', 2);
+      core.setSecret(creds[0]); // redacted in workflow logs
+      core.setSecret(creds[1]); // redacted in workflow logs
       regDatas.push({
         registry: authData.proxyEndpoint || '',
         username: creds[0],