search

awslabs / aws-sdk-swift

Apache License 2.0
359 stars 71 forks source link

Credential info should be redacted from logs #1557

Open jbelkins opened 3 weeks ago

jbelkins commented 3 weeks ago

Describe the bug

Currently HTTP headers are logged at the info level for requests, i.e.

Authorization: AWS4-HMAC-SHA256 Credential=ASIAZXCVBNMASEXAMPLE/20240610/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token,

Customers would prefer not to have their AWS Key ID in the logs.

If another authentication method such as bearer token is used in the future, this issue could become more severe if not handled.

Expected Behavior

IDs and secrets for AWS or other credentials should not be logged.

Current Behavior

AWS key ID is currently logged at the info level.

Reproduction Steps

Use SDK to make AWS request with logging at the info level. Observe logged values for HTTP headers.

Possible Solution

Redact sensitive strings from log statements as part of the logging process

Additional Information/Context

No response

AWS SWIFT SDK version used

main

Compiler and Version used

latest

Operating System and version

latest

sichanyoo commented 2 weeks ago

0.2 is for investigation - ask other SDKs on what they do with authorization header when logging