Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packer logs contain adminPassword in plain text #358

Closed
jerryc3 opened this issue Jan 11, 2024 · 3 comments · Fixed by #365
Closed

Packer logs contain adminPassword in plain text #358

jerryc3 opened this issue Jan 11, 2024 · 3 comments · Fixed by #365
Labels
bug

Comments

@jerryc3
Copy link

jerryc3 commented Jan 11, 2024
edited
Loading

When filing a bug, please include the following headings if possible. Any
example text in this template can be deleted.

Overview of the Issue

AzureImageBuilder team got a customer complaint that packer logs contain VM adminPassword in plain text. Can packer redact this password from the logs?

Reproduction Steps

Steps to reproduce this issue

Plugin and Packer version

From packer version

Simplified Packer Buildfile

If the file is longer than a few dozen lines, please include the URL to the
gist of the log or use the Github detailed
format
instead of posting it directly in the issue.

Operating system and Environment details

OS, Architecture, and any other information you can provide about the
environment.

Log Fragments and crash.log files

What customer saw:

Azure request method="POST" request="https://management.azure.com/subscriptions/96ff5940-d6af-45ee-ae2b-3451cc65a2b5/resourceGroups/IT_myrg_testImageTemplate1_e73c9f6f-0025-435f-be0f-d0553984fc17/providers/Microsoft.Resources/deployments/pkrdp3b3qlyzo8a/validate?[REDACTED]" body="{"properties":{"mode":"Incremental","parameters":{"adminPassword":{"value":"[HIDDEN MANUALLY]"},

Azure request method="PUT" request="https://management.azure.com/subscriptions/96ff5940-d6af-45ee-ae2b-3451cc65a2b5/resourceGroups/IT_myrg_testImageTemplate1_e73c9f6f-0025-435f-be0f-d0553984fc17/providers/Microsoft.Resources/deployments/pkrdp3b3qlyzo8a?[REDACTED]" body="{"properties":{"mode":"Incremental","parameters":{"adminPassword":{"value":"[HIDDEN MANUALLY]"}
@jerryc3 jerryc3 added the bug label Jan 11, 2024
@lbajolet-hashicorp lbajolet-hashicorp mentioned this issue Jan 23, 2024
Merged
@lbajolet-hashicorp
Copy link
Contributor

Hi @jerryc3,

Thanks for bringing this to our attention.

I've opened PR #365 for the plugin, which addresses your concern.
I've ran an acceptance test to check if it worked, and sure thing, the admin password is now replaced by a <sensitive> in the logs of the plugin.

Example:

2024/01/23 18:17:58 packer-plugin-azure plugin: 2024/01/23 18:17:58 Azure request method="PUT" request="https://management.azure.com/subscriptions/<subscription>/resourceGroups/pkr-Resource-Group-ib7oqphi7s/providers/Microsoft.Resources/deployments/<deployment>?api-version=2022-09-01" body="{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"adminPassword\":{\"value\":\"<sensitive>\"},\

Please note however that the admin password shown in the logs here is generated by Packer, and is temporary as the account gets wiped after the build is done, so this is not critical, but still it's better hidden as such.

@feiyushi
Copy link
Contributor

feiyushi commented Jan 23, 2024
edited
Loading

Hi @jerryc3,

Thanks for bringing this to our attention.

I've opened PR #365 for the plugin, which addresses your concern. I've ran an acceptance test to check if it worked, and sure thing, the admin password is now replaced by a <sensitive> in the logs of the plugin.

Example:

2024/01/23 18:17:58 packer-plugin-azure plugin: 2024/01/23 18:17:58 Azure request method="PUT" request="https://management.azure.com/subscriptions/<subscription>/resourceGroups/pkr-Resource-Group-ib7oqphi7s/providers/Microsoft.Resources/deployments/<deployment>?api-version=2022-09-01" body="{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"adminPassword\":{\"value\":\"<sensitive>\"},\

Please note however that the admin password shown in the logs here is generated by Packer, and is temporary as the account gets wiped after the build is done, so this is not critical, but still it's better hidden as such.

thank u for addressing the issue!
we have another secret in the similar place that needs redaction. Can you make a test to see if this is also redacted?
it's keyVaultSecretValue when deploying kv for windows vms.

2023/11/06 22:24:07 packer-plugin-azure plugin: 2023/11/06 22:24:07 Azure request method="PUT" request="https://management.azure.com/subscriptions/subid/resourceGroups/rg/providers/Microsoft.Resources/deployments/kvpkrdp5rcr1agpja?[REDACTED]" body="{"properties":{"mode":"Incremental","parameters":{"keyVaultName":{"value":"pkrkv5rcr1agpja"},"keyVaultSKU":{"value":"standard"},"keyVaultSecretValue":{"value":**"secret value**......

@lbajolet-hashicorp
Copy link
Contributor

lbajolet-hashicorp commented Jan 30, 2024
edited
Loading

Hi @feiyushi,

Thanks for the heads-up, indeed this one was not filtered out of the logs, I've added this to the list of redacted outputs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

log: add mini log library hashicorp/packer-plugin-azure
3 participants
@feiyushi @jerryc3 @lbajolet-hashicorp