Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[azure-cli] better default configuration to reduce chances of accidental data leaks #27858

Open
jessehouwing opened this issue Nov 16, 2023 · 1 comment
Open

[azure-cli] better default configuration to reduce chances of accidental data leaks #27858

jessehouwing opened this issue Nov 16, 2023 · 1 comment
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Configure az configure/config customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request
Milestone
Backlog

Comments

@jessehouwing
Copy link

Description

The Azure cli has a tendency to be quite chatty and this can expose secrets stored in Azure in the logs of CI tools that run it.

See:

There are a number of sensible configuration settings that can be applied to greatly reduced the chance of this happening:

core.only_show_errors=true
core.error_recommendation=off
core.collect_telemetry=false
logging.enable_log_file=false

These can either be set using az config or registered as environment variables. The latter being more secure as the AzureCLI@2 task in Azure pipelines ignores the global config by default.

Ideally azure-cli would detect it's running on a ci platform, using a package similar to is-ci.

This way command output isn't echo'ed to the log by default and also not written to disk where it can easily be intercepted.

I've suggested the actions-runner team would apply these settings on the GitHub Actions and Azure Pipelines hosted runners, but they feel it's up to the individual tools to act in a proper manner:

Expected behavior

Azure-cli is configured with sane CI/CD defaults.

There is an extension to Azure cli called init which provides sane automation defaults.

Actual behavior

Azure-cli is configured in standard interactive mode.

Repro steps

https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-leakage-user-error-azure-cli/
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Configure az configure/config labels Nov 16, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 16, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 16, 2023

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan added this to the Backlog milestone Nov 16, 2023
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Configure az configure/config customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @jessehouwing @yonzhan