When using chef-Azure-extention 1210.13.x, credentials are being printed on the logs during client converge

Question

When using chef-Azure-extention 1210.13.x, credentials are being printed on the logs during client converge

ayushbhatt29 opened this issue 3 years ago · 2 comments

Customer bug - https://github.com/chef/customer-bugs/issues/490

We didn't had the credentials issue earlier because our team is downloading Chef package from packages.chef.io .

Now as per Infosec team guidelines, Instead of downloading the Chef msi package from internet, we are downloading the msi package from private jfrog artifactory.

When we use chef_package_url option in ARM template to mention artifactory URL of Chef msi package

chef_package_url: https://<%= ENV['ARTIFACTORY_USERNAME'] %>:<%= ENV['ARTIFACTORY_API_KEY'] %>@example.jfrog.io/artifactory/packages.chef.io-cache/16.14.1/windows/2016/chef-client-16.14.1-1-x64.msi

After using this option, artifactory credentials are being written into logs.

Example logs are as below:

These credentials are being written in to windows log files. Please find the log file below. I have masked the credentials.

##########################################################################

[09/28/2021 08:28:01.30] Executing: C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2\enable.cmd

[09/28/2021 08:29:07.45] Execution Complete.

######

Execution Output:

C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2>set CHEF_EXT_DIR=C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2\

C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2>echo C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2\

C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2\

C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2>REM Installing chef-client

C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2>powershell -nologo -noprofile -executionpolicy unrestricted Import-Module C:\Packages\Plugins\Chef.Bootstrap.WindowsAzure.ChefClient\1210.13.5.2\bin\chef-install.psm1;Install-ChefClient

Environment variables not passed.

Checking Chef Client ...

Set CHEF_LICENSE Environment variable as accept

Downloading chef client package from https://XXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@example.jfrog.io/artifactory/packages.chef.io-cache/16.14.1/windows/2016/chef-client-16.14.1-1-x64.msi

Chef Client package download failed. Retrying in 20s...

Checking Chef Client ...

 

###########################################################################

Regards,
Irina.

To Reproduce

1/ Please use the chef_package_url with artifactory in the ARM template
2/ And submit the template to create/install and bootstrap.

Answer 1 · 2021-09-30T09:12:21.000Z

As a workaround, it's possible with most artifact repos (including Artifactory) to allow anonymous downloads so that credentials are not required (and thus will not be logged)

(While it's not a fix, it might get you unblocked)

Answer 2 · 2021-09-30T10:58:41.000Z

Thanks @trickyearlobe for the suggestion