Open fulder opened 4 years ago
Not recommending this shouldn't be fixed (if it can) but just a word of caution: if you're putting secrets into environment variables in plain text then anybody with access to the Lambda is going to be able to read them.
It's recommended that you use either Secrets Manager or Parameter Store to keep the values truly secure.
GitHub secrets are automatically masked in the action logs, but setting
action_comment
totrue
for e.g.cdk synth
prints the real secret values directly inside the PR comment.This can be a security issue if someone uses a secret used in e.g. a lambda function env vars without realizing this will be automatically printed in a PR comment.