Severe Security flaw: OIDC Token printed as Plain text in the pipeline run log for Service Connections configured with Workload Identity Federation #428
Describe the bug
TerraformCLI@1 task prints the OIDC token as is in plain text when performing init, plan and apply, which is a serious security risk! as anyone having pipeline read access can simply copy paste the token to mimic the App-Reg and gets its access in azurerm.
To Reproduce
Steps to reproduce the behavior:
task: TerraformCLI@1
name: terraformPlan
displayName: "Terraform: Plan"
inputs:
command: plan
environmentServiceName: test-wif-sc
providerAzureRmSubscriptionId: "xxxx"
runAzLogin: true
allowTelemetryCollection: false
This prints the token in run log
Expected behavior
Token should be masked like the username!
Screenshots
If applicable, add screenshots to help explain your problem.
Pipeline Logs
Include logs that help demonstrate the problem. Please make sure to redact any sensitive info such as secrets.
Can't attach due to sensitive content!
Agent Configuration
OS: ubuntu
Self Hosted
Terraform version used 1.7.5
AzureCLI version used
Additional context
Add any other context about the problem here.
Describe the bug TerraformCLI@1 task prints the OIDC token as is in plain text when performing init, plan and apply, which is a serious security risk! as anyone having pipeline read access can simply copy paste the token to mimic the App-Reg and gets its access in azurerm.
To Reproduce Steps to reproduce the behavior:
Expected behavior Token should be masked like the username! Screenshots If applicable, add screenshots to help explain your problem.
Pipeline Logs Include logs that help demonstrate the problem. Please make sure to redact any sensitive info such as secrets. Can't attach due to sensitive content! Agent Configuration