Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add secret access key and secret key length check #30

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

add secret access key and secret key length check #30

wants to merge 4 commits into from

Conversation

kheina
Copy link
Contributor

@kheina kheina commented Jul 6, 2023
edited
Loading

validates that secrets.access_key_id is always between 16 and 128 characters long and matches the \w+ pattern per https://docs.aws.amazon.com/IAM/latest/APIReference/API_AccessKey.html
validates that secrets.secret_access_key is always 40 characters long

ddebko
ddebko requested changes Dec 27, 2023
View reviewed changes
Copy link
Contributor

@ddebko ddebko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a strong need or use case for the validation checks on the access and secret key?

internal/credential/attributes.go
@@ -34,12 +37,18 @@ func GetCredentialsConfig(in *structpb.Struct, region string) (*awsutil.Credenti
accessKey, err := values.GetStringValue(in, ConstAccessKeyId, true)
if err != nil {
badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = err.Error()
} else if len(accessKey) < 16 || len(accessKey) > 128 {
badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "value must be between 16 and 128 characters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if we should enforce any strict checks on the given values of the access or secret key. I think it would be safer for AWS to return an error to the plugin and the plugin could bubble up the error to the user.

The reason why I think it would be safer to bubble up an error like this from AWS is because the user would be able to search AWS documentation by matching the error message. Otherwise the user could get stuck with our unique error message that may not be helpful with searching AWS documentation.

Also, AWS can change their behavior and this check becomes invalid, which would enable an edge case bug in the plugin that we would then need to patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ddebko ddebko ddebko requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kheina @ddebko