Taragolis commented on PR #29142: URL: https://github.com/apache/airflow/pull/29142#issuecomment-1402747883
> Nice catch! IMHO, if we are decoding by default then masking sounds like the right answer to me. I'm not really up to date on best practices when using SecureString though, so I'm happy to defer if someone feels otherwise. Well there is not easy answer as well as best practices. We do not know what users might store into SSM Parameter Store and how they intend to use it. If it credentials the answer straightforward, yes we should, like here: https://github.com/apache/airflow/blob/3b25168c413a8434f8f65efb09aaf949cf7adc3b/airflow/providers/amazon/aws/hooks/base_aws.py#L662-L666 IMHO, In general if you create secure string you do not want to some one who does not have access to KMS keys see value. But we could mask all or nothing, that mean `postgresql+psycopg2://airflow:insecurepassword@postgres/airflow` in logs transform to `***` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
