search

opencost / opencost

Cost monitoring for Kubernetes workloads and cloud costs
http://opencost.io
Apache License 2.0
4.93k stars 530 forks source link

Opencost logs/leaks API key #2327

Closed DD5HT closed 8 months ago

DD5HT commented 8 months ago

Describe the bug Opencost leaks the GCP Api key in its logs:

eg: opencost 2023-11-22T12:09:54.861217097Z INF Fetch GCP Billing Data from URL: https://cloudbilling.googleapis.com/v1/services/XXXXXX/skus?key=CENSORED

To Reproduce Run opencost with GCP api key.

Expected behavior No credential leak

Which version of OpenCost are you using? quay.io/kubecost1/kubecost-cost-model:prod-1.107.0-amd64@sha256:fc4b68f7c1d5d734c26ffffeff858100617fdc1a8c07827634cbfbce484d49f3

Additional Info Either remove: or censor the URL

https://github.com/opencost/opencost/blob/836fbfeb41d7cdaddc388e6e08a3e2e9e7f75836/pkg/cloud/gcp/provider.go#L988

AjayTripathy commented 8 months ago

Hi @DD5HT thanks for this report. We'll get the log statement removed.

mattray commented 8 months ago

Assigning to @cliffcolvin to verify it makes the next release

AjayTripathy commented 8 months ago

Just a quick review here and we should be good: https://github.com/opencost/opencost/pull/2345