Open
Description
What are you trying to do?
We would like to run commands in containers and use the output as the value of a secret
Doing it naively appears to be insecure and ends up logging password.txt. Snippet with a source available example
plaintext, err := m.AwsSdk().
WithEnvVariable("AWS_ACCESS_KEY_ID", roleCredentials.AccessKey).
WithSecretVariable("AWS_SECRET_ACCESS_KEY", roleCredentials.SecretKey).
WithSecretVariable("AWS_SECURITY_TOKEN", roleCredentials.SecurityToken).
WithExec([]string{"sh", "-c", fmt.Sprintf("aws ecr get-login-password --region '%s' > /password.txt", region)}).
File("/password.txt").
Contents(ctx)
if err != nil {
return nil, err
}
password := dag.SetSecret(fmt.Sprintf("AwsEcrLogin-%s-%s", region, role), plaintext)
Why is this important to you?
We have several cases where the established way to generate an intermediate credential is to use a CLI tool, that is already available as a docker image.
How are you currently working around this?
A possible workaround is to rewrite the functionality directly within the module's code for each use case, instead of executing a CLI tool.