Aws profiles on the workers - the creds are on the machines, but not exposed. Boto/cli takes these profile names instead of access key/secret for just this kind of use case.
Sent from a device with less than stellar autocorrect > On Feb 26, 2018, at 1:22 PM, jeeyoung kim <[email protected]> wrote: > > Hi everyone, > > I’m wondering how people work around accidentally writing credentials on > bash operator template page / logs. > > For example, I may have PostgreSQL operator to copy data into Redshift. > > COPY TABLE_NAME from 's3://.../something.manifest.json' > access_key_id '{{ params.AWS_ACCESS_KEY }}' > secret_access_key '{{ params.AWS_SECRET_KEY }}' > > Or a command that exports from mongo > > mongoexport \ > --assertExists \ > -h {{ connection.host }} \ > {% if connection.login %} -u {{ connection.login }} {% endif %}\ > {% if connection.get_password() %} -p {{ connection.get_password() > }} {% endif %}\ > -d {{ connection.schema }} > ... > > However, when this operator is executed (or when the template is rendered > on the UI), the credentials are written to the log files / clearly visible > on the UI, which is problematic. > > There are many other cases where this can happen, and I’m wondering what is > a solution for it. > > What would be ideal is: > > - Prevent credentials from accidentally being shown in “show rendered > template” screen. > - Prevent credentials from being written to the logs. > > Thanks. > > -Jeeyoung Kim >
