Taragolis opened a new pull request, #26014:
URL: https://github.com/apache/airflow/pull/26014
Right now not all credentials for AWS masked.
Some of them might retrieved outside of connection login, password and
extra: environment variables, AWS shared credentials file, assume role and etc.
This PR additionally mask credentials when call
`AwsGenericHook.get_credentials()` method
_DAG Sample_
```python
import os
from dataclasses import asdict
import pendulum
from airflow.decorators import task
from airflow.models.dag import dag
from airflow.providers.amazon.aws.hooks.s3 import S3Hook
from airflow.models.connection import Connection
DAG_KWARGS = {
"start_date": pendulum.datetime(2021, 1, 1, tz="UTC"),
"schedule_interval": None,
"catchup": False,
"tags": ["credentials", "aws", "mask-secrets"],
}
AWS_CONN_ID = "aws_sample_conn"
AWS_CONN_ENV_KEY = f"AIRFLOW_CONN_{AWS_CONN_ID.upper()}"
@dag(**DAG_KWARGS)
def aws_secrets_mask():
@task
def print_connection_info():
"""Print connection info"""
conn = Connection(
conn_id=AWS_CONN_ID,
conn_type="aws",
login="login-aws_access_key_id",
password="password-aws_secret_access_key",
extra={
"aws_access_key_id": "extra-aws_access_key_id",
"aws_secret_access_key": "extra-aws_secret_access_key",
"aws_session_token": "extra-aws_session_token",
"session_kwargs": {
"aws_access_key_id": "session-kw-aws_access_key_id",
"aws_secret_access_key":
"session-kw-aws_secret_access_key",
"aws_session_token": "session-kw-aws_session_token"
},
},
)
os.environ[AWS_CONN_ENV_KEY] = conn.get_uri()
hook = S3Hook(aws_conn_id=AWS_CONN_ID)
# This case handle by airflow.models.connection.Connection
print(f"Connection Info: {asdict(hook.conn_config)}")
# Connection Info: {'region_name': None, 'botocore_config': None,
'verify': None,
# 'conn_id': 'aws_sample_conn', 'conn_type': 'aws', 'login':
'login-aws_access_key_id',
# 'password': '***', 'extra_config': {'aws_access_key_id':
'extra-aws_access_key_id',
# 'aws_secret_access_key': '***', 'aws_session_token': '***',
'session_kwargs':
# {'aws_access_key_id': 'session-kw-aws_access_key_id',
'aws_secret_access_key': '***',
# 'aws_session_token': '***'}}, 'aws_access_key_id':
'login-aws_access_key_id',
# 'aws_secret_access_key': '***', 'aws_session_token': '***',
'profile_name': None,
# 'endpoint_url': None, 'role_arn': None, 'assume_role_method':
None, 'assume_role_kwargs': {}}
@task
def print_credentials():
"""Print credentials from Env Var."""
os.environ["AWS_ACCESS_KEY_ID"] = "env-var-aws_access_key_id"
os.environ["AWS_SECRET_ACCESS_KEY"] = "env-aws_secret_access_key"
os.environ["AWS_SESSION_TOKEN"] = "env-var-aws_session_token"
os.environ[AWS_CONN_ENV_KEY] = "aws://"
hook = S3Hook(aws_conn_id=AWS_CONN_ID)
# This case handle by
airflow.providers.amazon.aws.hooks.base_aws.AwsGenericHook.get_credentials
print(f"Credentials: {hook.get_credentials()}")
# Credentials:
# ReadOnlyCredentials(access_key='env-var-aws_access_key_id',
secret_key='***', token='***')
print_connection_info() >> print_credentials()
_ = aws_secrets_mask()
```
cc: @mik-laj
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
