hashicorp/aws-sdk-go-base

Overzealous sensitive value masking in HTTP request/response logs

ewbankkit opened this issue ยท 0 comments

ewbankkit commented

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Following the changes to HTTP request/response log sensitive value masking in #523, much useful information is being unnecessarily obfuscated. For example

  http.response.body=
  | <?xml version="1.0" encoding="UTF-8"?>
  | <Desc***************onse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
  |     <requestId>76a4520c-aafc-4486-8224-92e4776ae280</requestId>
  |     <subnetSet>
  |         <item>
  |             <subnetId>subnet-0ae3*********6b23</subnetId>
  |             <subnetArn>arn:aws:ec2:us-west-2:123456789012:subnet/subnet-0ae3*********6b23</subnetArn>
  |             <state>available</state>
  |             <ownerId>123456789012</ownerId>
  |             <vpcId>vpc-0034*********0c03</vpcId>
  |             <cidrBlock>10.0.2.0/24</cidrBlock>
  |             <ipv6********************Set/>
  |             <avai***************ount>251</ava****************ount>
  |             <avai********Zone>us-west-2d</ava*********Zone>
  |             <avai**********neId>usw2-az4</ava***********neId>
  |             <defaultForAz>false</defaultForAz>
  |             <mapP***********unch>true</map************unch>
  |             <tagSet>
  |                 <item>
  |                     <key>Name</key>
  |                     <value>tf-acc-test-2706***********8325</value>
  |                 </item>
  |             </tagSet>
  |             <assi*******************tion>false</ass********************tion>
  |             <mapC******************unch>false</map*******************unch>
  |             <priv*********************unch>
  |                 <hostnameType>ip-name</hostnameType>
  |                 <enab********************cord>false</ena*********************cord>
  |                 <enab***********************cord>false</ena************************cord>
  |             </pri**********************unch>
  |             <ipv6Native>false</ipv6Native>
  |             <enableDns64>false</enableDns64>
  |         </item>
  |     </subnetSet>
  | </Des****************onse>

If the intention is to mask just AWS access key IDs and secret access keys then we can use the patterns described here.

Relates hashicorp/terraform-provider-aws#32164.