Taragolis opened a new pull request, #26014:
URL: https://github.com/apache/airflow/pull/26014

   Right now not all credentials for AWS masked.
   Some of them might retrieved outside of connection login, password and 
extra: environment variables, AWS shared credentials file, assume role and etc.
   
   This PR additionally mask credentials when call 
`AwsGenericHook.get_credentials()` method
   
   _DAG Sample_
   ```python
   import os
   from dataclasses import asdict
   
   import pendulum
   
   from airflow.decorators import task
   from airflow.models.dag import dag
   from airflow.providers.amazon.aws.hooks.s3 import S3Hook
   from airflow.models.connection import Connection
   
   DAG_KWARGS = {
       "start_date": pendulum.datetime(2021, 1, 1, tz="UTC"),
       "schedule_interval": None,
       "catchup": False,
       "tags": ["credentials", "aws", "mask-secrets"],
   }
   AWS_CONN_ID = "aws_sample_conn"
   AWS_CONN_ENV_KEY = f"AIRFLOW_CONN_{AWS_CONN_ID.upper()}"
   
   
   @dag(**DAG_KWARGS)
   def aws_secrets_mask():
       @task
       def print_connection_info():
           """Print connection info"""
           conn = Connection(
               conn_id=AWS_CONN_ID,
               conn_type="aws",
               login="login-aws_access_key_id",
               password="password-aws_secret_access_key",
               extra={
                   "aws_access_key_id": "extra-aws_access_key_id",
                   "aws_secret_access_key": "extra-aws_secret_access_key",
                   "aws_session_token": "extra-aws_session_token",
                   "session_kwargs": {
                       "aws_access_key_id": "session-kw-aws_access_key_id",
                       "aws_secret_access_key": 
"session-kw-aws_secret_access_key",
                       "aws_session_token": "session-kw-aws_session_token"
                   },
               },
           )
           os.environ[AWS_CONN_ENV_KEY] = conn.get_uri()
           hook = S3Hook(aws_conn_id=AWS_CONN_ID)
           # This case handle by airflow.models.connection.Connection
           print(f"Connection Info: {asdict(hook.conn_config)}")
           # Connection Info: {'region_name': None, 'botocore_config': None, 
'verify': None, 
           # 'conn_id': 'aws_sample_conn', 'conn_type': 'aws', 'login': 
'login-aws_access_key_id', 
           # 'password': '***', 'extra_config': {'aws_access_key_id': 
'extra-aws_access_key_id', 
           # 'aws_secret_access_key': '***', 'aws_session_token': '***', 
'session_kwargs': 
           # {'aws_access_key_id': 'session-kw-aws_access_key_id', 
'aws_secret_access_key': '***', 
           # 'aws_session_token': '***'}}, 'aws_access_key_id': 
'login-aws_access_key_id', 
           # 'aws_secret_access_key': '***', 'aws_session_token': '***', 
'profile_name': None, 
           # 'endpoint_url': None, 'role_arn': None, 'assume_role_method': 
None, 'assume_role_kwargs': {}}
   
   
       @task
       def print_credentials():
           """Print credentials from Env Var."""
           os.environ["AWS_ACCESS_KEY_ID"] = "env-var-aws_access_key_id"
           os.environ["AWS_SECRET_ACCESS_KEY"] = "env-aws_secret_access_key"
           os.environ["AWS_SESSION_TOKEN"] = "env-var-aws_session_token"
           os.environ[AWS_CONN_ENV_KEY] = "aws://"
           hook = S3Hook(aws_conn_id=AWS_CONN_ID)
           # This case handle by 
airflow.providers.amazon.aws.hooks.base_aws.AwsGenericHook.get_credentials
           print(f"Credentials: {hook.get_credentials()}")
           # Credentials: 
           # ReadOnlyCredentials(access_key='env-var-aws_access_key_id', 
secret_key='***', token='***')
   
       print_connection_info() >> print_credentials()
   
   _ = aws_secrets_mask()
   ```
   
   
   
   cc: @mik-laj  


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to