custom-resources: Provider logs Data from response with NoEcho: true #30275
Labels
@aws-cdk/custom-resources
Related to AWS CDK Custom Resources
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p1
Describe the bug
When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.
Expected Behavior
When the custom resource response has
NoEcho: true
, the log output from the Provider function should redact the values from the Data object.Current Behavior
The provider function logged the full Data payload
Reproduction Steps
Deploy this stack and you can see the following log:
Possible Solution
Add logic to the provider handler code to redact the Data object if NoEcho = true
Add properties to the Provider construct to redact some/all of the ResourceProperties from the provider logs.
Additional Information/Context
No response
CDK CLI Version
2.133.0 (build dcc1e75)
Framework Version
2.133.0
Node.js Version
20
OS
Ubuntu
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: