Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: hide service account content from the logs for gce driver #302

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

security: hide service account content from the logs for gce driver #302

wants to merge 2 commits into from

Conversation

amarao
Copy link

@amarao amarao commented Feb 20, 2025
edited
Loading

In GCE driver, when instance is created using environment variable GCP_SERVICE_ACCOUNT_CONTENTS (which is json with account metadata AND private key for the service account), GCE module returns it back into 'register' (may be, it's a security bug from them too).

GCE driver prints those return data on log in plain text, including private key.

Below there is a screenshot of actual leak (leaked key is shown in red, key is rotated before filing this bug report).

image

@github-actions github-actions bot added the bug Something isn't working label Feb 20, 2025
@apatard
Copy link
Member

apatard commented Feb 21, 2025

I'm looking at the CI failure.

Why not using no_log ?

@amarao
Copy link
Author

amarao commented Feb 21, 2025

I can replace it with no log, but it will make things harder to debug, because driver errors (e.g. bad credentials, etc) are reported in wait job. Async job is always success.

The problem here is that this leak is done by the driver, not by user-supplied playbooks.

@apatard
Copy link
Member

apatard commented Feb 21, 2025

I'm not sure what's the issue with debug and no_log. The usual trick is to use "{{ molecule_no_log }}".

I'll look at this PR again probably next week.

btw, did you also reported that to the driver authors ? the answer won't have any influence on this PR. I'm only concerned by the fact of having a known possible security issue unfixed.

@amarao
Copy link
Author

amarao commented Feb 22, 2025

My miss, I fixed tests, instead of the driver. Redoing it now.

Thanks for "{{ molecule_no_log }}" advise.

@amarao
security: hide content of the service account contents from the logs …
29b8908 
…for GCE

When instance is waited for SSH, loop label contains all server data,
returned by the driver. One of them is service_account_contents
which contains a private key to  a GCE service account, used to create
VMs in GCE, if GCP_SERVICE_ACCOUNT_CONTENTS environment variable was
used.
@amarao
Copy link
Author

amarao commented Feb 22, 2025

I redone it, using molecule_no_log, and I still keep 'loop_control/label', because gce module output here is overwhelming and is almost impossible to read. Simple 'name' should be enough for loop label.

@amarao
Copy link
Author

amarao commented Feb 22, 2025

I also reported it to the goolge.cloud: ansible-collections/google.cloud#670

They have autogenerated code, so I have no idea how to send patches there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amarao @apatard