fix: mask the aws credential info #364

yanghua · 2025-05-15T06:30:35Z

Which issue does this PR close?

Closes #363.

Rationale for this change

Currently, AwsCredential supports #[derive(Debug)], as a default behavior, it would print the credential's plaintext. Like this:

[2025-05-13T07:40:10Z DEBUG lance::dataset::scanner] Execution plan:
ProjectionExec { input: TakeExec { dataset: Dataset { object_store: ObjectStore { inner: AmazonS3 { client: S3Client { config: S3Config { region: "cn-beijing", endpoint: Some("[https://xxx.s3-cn-beijing.volces.com/](https://xxx.s3-cn-beijing.volces.com)"), bucket: "xxx", bucket_endpoint: "[https://xxx.-s3-cn-beijing.volces.com/](https://xxx.-s3-cn-beijing.volces.com)", credentials: StaticCredentialProvider { credential: AwsCredential { key_id: "xxx", secret_key: "xxx==", token: None } }, session_provider: None, retry_config: RetryConfig { backoff: BackoffConfig { init_backoff: 100ms, max_backoff: 15s, base: 2.0 }, max_retries: 10, retry_timeout: 180s }, client_options: ClientOptions { user_agent: None, content_type_map: {}, default_content_type: None, default_headers: None, proxy_url: None, proxy_ca_certificate: None, proxy_excludes: None, allow_http: Parsed(false), allow_insecure: Parsed(false), timeout: Some(Parsed(30s)), connect_timeout: Some(Parsed(5s)), pool_idle_timeout: None, pool_max_idle_per_host: None, http2_keep_alive_interval: None, http2_keep_alive_timeout: None, http2_keep_alive_while_idle: Parsed(false), http1_only: Parsed(true), http2_only: Parsed(false) }, sign_payload: true, skip_signature: false, disable_tagging: false, checksum: None, copy_if_not_exists: None, conditional_put: None, encryption_headers: S3EncryptionHeaders({}) }

For security reasons, it would be better to mask the credentials. If someone wants to show them, let it print manually.

What changes are included in this PR?

Customize the std::fmt::Debug for AwsCredential to override the default behavior.

Are there any user-facing changes?

NO

tustvold · 2025-05-15T07:12:17Z

src/aws/credential.rs

+impl std::fmt::Debug for AwsCredential {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("AwsCredential")
+            .field("key_id", &"******")


This isn't secret and is safe to print

@tustvold reasonable, let's only mask secret_key and token .

@tustvold Updated.

fix: mask the aws credential info

586753d

tustvold reviewed May 15, 2025

View reviewed changes

fix: mask the aws credential info

80bdb3a

rtyler approved these changes May 15, 2025

View reviewed changes

tustvold merged commit 55dab67 into apache:main May 16, 2025
8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: mask the aws credential info #364

fix: mask the aws credential info #364

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fix: mask the aws credential info #364

fix: mask the aws credential info #364

Uh oh!

Conversation

Uh oh!

Which issue does this PR close?

Rationale for this change

What changes are included in this PR?

Are there any user-facing changes?

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!