search

hackoregon / civic-devops

Master collection point for issues, procedures, and code to manage the HackOregon Civic platform
MIT License
11 stars 4 forks source link

Using --password via the CLI is insecure warning during deploy from Travis #182

Closed MikeTheCanuck closed 5 years ago

MikeTheCanuck commented 6 years ago

Travis deploy step on all our repos throws a warning.

e.g. Civic repo

...
export PATH=$PATH:$HOME/.local/bin
Accessing ECR
eval $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION)
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
...

e.g. Transportation Systems repo

...
$ bin/deploy.sh
Getting the ECR login...
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
...
MikeTheCanuck commented 6 years ago

The command that throws the warning in each repo is basically the same:

Civic: Makefile - "access-ecr" section eval $$(aws ecr get-login --no-include-email --region $$AWS_DEFAULT_REGION)

Transportation Systems: [bin/deploy.sh] eval $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION)

MikeTheCanuck commented 6 years ago

Apparently this is an issue between the Docker engine and the awscli: aws ecr get-login should use --password-stdin if available

And a lot of finger-pointing rather than getting down to solving the problem. Love the OSS community sometimes, don't you?

Might just have to wait this out, and update awscli and/or docker engine when the sort out their shit.

nam20485 commented 6 years ago

From my previous investigation of this issue (Mike we discussed this at one point back when we first started hooking up Travis deploy to ECR in the backend-exemplar repo), it appeared to me that it was less of an actual security hole as much as an annoying warning.

From reading your linked issue, it looks like it is possibly leaked to two areas, bash history and process lists. On the other hand this is a known issue in a widely-used AWS CLI mechanism, so at the very least, many other organization's are presumably using it without the -stdin-password parameter, which makes me slightly less queasy about using a process with a known security hole. Also we may be protected from those vectors if the rest of our authentication is functioning.

When I get to a network connection (still waiting on Frontier to come and install at my new place) I will experiment with some of the workarounds mentioned to see if they would be viable and practical to add to our standard Travis-ECR deploy process.

On Sat, Jun 23, 2018, 10:44 AM Mike Lonergan notifications@github.com wrote:

Apparently this is an issue between the Docker engine and the awscli: aws ecr get-login should use --password-stdin if available https://github.com/aws/aws-cli/issues/2875

And a lot of finger-pointing rather than getting down to solving the problem. Love the OSS community sometimes, don't you?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/hackoregon/civic-devops/issues/182#issuecomment-399696354, or mute the thread https://github.com/notifications/unsubscribe-auth/ABvqFNsWZd7OhFqFsKhkB0wI91nLmPhOks5t_n5ngaJpZM4U03qV .