Hide the AWS assume role ExternalID

[iul1an]

What would you like to be added: I would like for the AWS assume role ExternalID to not show up in logs, for example:

time="2024-02-21T18:20:30Z" level=info msg="Instantiating new Kubernetes client"
time="2024-02-21T18:20:30Z" level=info msg="Using inCluster-config based on serviceaccount-token"
time="2024-02-21T18:20:30Z" level=info msg="Created Kubernetes client https://172.20.0.1:443"
time="2024-02-21T18:20:31Z" level=info msg="Assuming role: arn:aws:iam::xxxxxx:role/xxxxxxxxx with external id xxxxxxxxxxx"

Why is this needed: Even if ExternalID is not a password, it's still an exploitable piece of information, and it's printed in the logs, regardless of the loglevel.

Other information If there are no objections, I can work on patching this :) The relevant code that needs to be changed is:

To adjust the message about assuming the AWS role: https://github.com/kubernetes-sigs/external-dns/blob/6ca3e40d1e5e5d752dedcc9e42f014e5292777da/provider/aws/session.go#L60-L70

To hide the field when the whole config is printed, by setting the secure tag: https://github.com/kubernetes-sigs/external-dns/blob/6ca3e40d1e5e5d752dedcc9e42f014e5292777da/pkg/apis/externaldns/types.go#L87

[omerap12]

Hey @iul1an , if there are no objections I can help too :)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[iul1an]

/remove-lifecycle stale