youyo / aws-cdk-github-actions

MIT License
207 stars 101 forks source link

Secrets values revealed using actions_comment #25

Open fulder opened 4 years ago

fulder commented 4 years ago

GitHub secrets are automatically masked in the action logs, but setting action_comment to true for e.g. cdk synth prints the real secret values directly inside the PR comment.

This can be a security issue if someone uses a secret used in e.g. a lambda function env vars without realizing this will be automatically printed in a PR comment.

cynicaljoy commented 3 years ago

Not recommending this shouldn't be fixed (if it can) but just a word of caution: if you're putting secrets into environment variables in plain text then anybody with access to the Lambda is going to be able to read them.

It's recommended that you use either Secrets Manager or Parameter Store to keep the values truly secure.

https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/