Makefile stores S3 bucket name in plaintext!

[znmeb]

How to reproduce:

1. cookiecutter https://github.com/drivendata/cookiecutter-data-science
2. Give it your bucket name
3. Look at line 8 of the Makefile - there's your bucket name in plaintext.

:-( 👎

[pjbull]

Two follow-ups:

• Do you have a suggested fix?
• I'm not under the impression the AWS S3 bucket names are generally treated as secrets. Could you point to a resource that provides that advice?

[znmeb]

Simple fix - define environment variables BUCKET and PROFILE
A private bucket is supposed to be private including the name. Sure, there are plenty of other authentication barriers keeping someone from using the name, but it's not something I want public.

[pjbull]

Not yet convinced the risk outweighs the benefit.

Creating environment variables means that bucket name is not templatized and needs another channel for communicating it to collaborators. Would reconsider if there are AWS docs suggesting bucket names should be kept private, but my initial search does not turn up anything.

In the meantime, happy to accept a PR that explains in the documentation that the bucket name is stored in plaintext and if you want to avoid that you should skip that field at setup time.

Also happy to accept a PR that probes an AWS_S3_BUCKET_NAME env variable if field is not set as part of the cookiecutter process.

[znmeb]

I can probably do that - I'm working on Docker integration at the moment. Once I know how make works on Windows with all the possible command lines there are I can tackle this.

[pjbull]

Thanks!

[isms]

Just to weigh in on this - I'm not convinced that bucket names are secrets for most projects, and where they are it should be a quick fix. Happy to be pointed to any discussion of this topic though.