search

opentelekomcloud / terraform-provider-opentelekomcloud

Terraform OpenTelekomCloud provider
https://registry.terraform.io/providers/opentelekomcloud/opentelekomcloud/latest
Mozilla Public License 2.0
87 stars 78 forks source link

identity_credential_v3: Please don't display and store secret keys in plain text #1786

Closed rramge closed 2 years ago

rramge commented 2 years ago

Terraform provider version

$ terraform version
Terraform v1.2.3
on linux_amd64
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.29.7
$

Affected Resource(s)

Terraform Configuration Files

Config is irrelevant, but here's the statefile content instead:

$ terraform state show module.iam.opentelekomcloud_identity_credential_v3.this[\"terraform\"]
# module.iam.opentelekomcloud_identity_credential_v3.this["terraform"]:
resource "opentelekomcloud_identity_credential_v3" "this" {
    access        = "YXANNHIEDRWARA0JRN7H"
    create_time   = "2022-06-29T13:02:56.100960Z"
    description   = "Managed by Terraform"
    id            = "YXANNHIEDRWARA0JRN7H"
    last_use_time = "2022-06-29T13:02:56.100960Z"
    secret        = "qdp0j253r5R6aQuHAr0cXaMwAQjOC7hVPD2vZQcF"
    status        = "active"
    user_id       = "1beb89d4b97645509ddf8ac9dc410c17"
}
$

Debug Output/Panic Output

Steps to Reproduce

  1. terraform state show

Expected Behavior

The access_key should not be displayed or stored in plain text, the secret_key must not be displayed or stored in plain text. This is only acceptable during the actual creation time, but not afterwards. Usually, such fields are supposed to be write-only. Secrets like keys and passwords should not be stored in any backend in plain text anyway, so I wonder from where the provider gets this information during a refresh in the first place? I am a bit worried that this may hint at the major security issue in the backend.

Actual Behavior

Keys are displayed and saved in the statefile in plain text.

Important Factoids

When creating an empty resource, and importing an existing user with configured keys, the secret keys are not displayed or stored but treated as nonexistent. Here, the behaviour is correct. Phew.

References

rramge commented 2 years ago

Just saying... makring a value as sensitive is not enough, it is still saved in plain text in the state and inherited to modules. A simple "terraform state pull" shares the secrets with whoever wants them.

rramge commented 2 years ago

You need to set it as write-only. Sensitive flag is not enough.

You have a gaping security hole here. It also raises the question why you can retrieve the secret from the API in the first place (and why the API can read it in clear text from whatever data store is used in the backend).

lego963 commented 2 years ago

References: https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/iam/access_key.go https://github.com/huaweicloud/terraform-provider-huaweicloud/blob/master/huaweicloud/services/iam/resource_huaweicloud_identity_access_key.go