Skip to content

Decrypt SecureString value obtained by SsmHook #29142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eladkal merged 2 commits into from
Feb 2, 2023
Merged

Decrypt SecureString value obtained by SsmHook #29142

eladkal merged 2 commits into from
Feb 2, 2023

Conversation

@Taragolis
Copy link
Contributor

@Taragolis Taragolis commented Jan 24, 2023

Right now if we try to get SecureString by SsmHook.get_parameter_value then we get encrypted value, which is useless for further usage without decryption.

from airflow.providers.amazon.aws.hooks.ssm import SsmHook

hook = SsmHook(aws_conn_id=None, region_name="eu-west-1")
print(hook.get_parameter_value("/airflow/config/boom"))

Without this changes

AQICAHiA4cbp5//uho/.../Mlb3cleB4/7XXjkh

After this changes

postgresql+psycopg2://airflow:insecurepassword@postgres/airflow

WDYT, should we also mask value if value has type SecureString?

@Taragolis Taragolis requested a review from ferruzzi January 24, 2023 21:31
@boring-cyborg boring-cyborg bot added area:providers provider:amazon AWS/Amazon - related issues labels Jan 24, 2023
ferruzzi
ferruzzi approved these changes Jan 24, 2023
View reviewed changes
Copy link
Contributor

@ferruzzi ferruzzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! IMHO, if we are decoding by default then masking sounds like the right answer to me. I'm not really up to date on best practices when using SecureString though, so I'm happy to defer if someone feels otherwise.

@Taragolis
Copy link
Contributor Author

Taragolis commented Jan 24, 2023

Nice catch! IMHO, if we are decoding by default then masking sounds like the right answer to me. I'm not really up to date on best practices when using SecureString though, so I'm happy to defer if someone feels otherwise.

Well there is not easy answer as well as best practices. We do not know what users might store into SSM Parameter Store and how they intend to use it.

If it credentials the answer straightforward, yes we should, like here:

airflow/airflow/providers/amazon/aws/hooks/base_aws.py

Lines 662 to 666 in 3b25168

creds = self.get_session(region_name=region_name).get_credentials().get_frozen_credentials()
mask_secret(creds.secret_key)
if creds.token:
mask_secret(creds.token)
return creds

IMHO, In general if you create secure string you do not want to some one who does not have access to KMS keys see value.
But we could mask all or nothing, that mean postgresql+psycopg2://airflow:insecurepassword@postgres/airflow in logs transform to ***

@ferruzzi
Copy link
Contributor

ferruzzi commented Jan 24, 2023

Nice catch! IMHO, if we are decoding by default then masking sounds like the right answer to me. I'm not really up to date on best practices when using SecureString though, so I'm happy to defer if someone feels otherwise.

Well there is not easy answer as well as best practices. We do not know what users might store into SSM Parameter Store and how they intend to use it.

If it credentials the answer straightforward, yes we should, like here:

airflow/airflow/providers/amazon/aws/hooks/base_aws.py

Lines 662 to 666 in 3b25168

creds = self.get_session(region_name=region_name).get_credentials().get_frozen_credentials()
mask_secret(creds.secret_key)
if creds.token:
mask_secret(creds.token)
return creds

IMHO, In general if you create secure string you do not want to some one who does not have access to KMS keys see value. But we could mask all or nothing, that mean postgresql+psycopg2://airflow:insecurepassword@postgres/airflow in logs transform to ***

It would be ideal if only the password got masked, but I think if a user is setting the parameter as a secure string, it would be better to assume more security than less.

@Taragolis
Copy link
Contributor Author

Taragolis commented Jan 24, 2023

Since we cant be sure where it password and where it is not than better mask all.
I will ad it tomorrow.

ferruzzi
ferruzzi approved these changes Jan 25, 2023
View reviewed changes
Copy link
Contributor

@ferruzzi ferruzzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks for adding the masking.

@Taragolis
Copy link
Contributor Author

Taragolis commented Feb 2, 2023

@o-nikolas if you have a time could you also have a look (you have a binding approval power) and maybe we could merge it

eladkal
eladkal approved these changes Feb 2, 2023
View reviewed changes
Copy link
Contributor

@eladkal eladkal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@eladkal eladkal merged commit cb0c90b into apache:main Feb 2, 2023
@eladkal eladkal mentioned this pull request Feb 8, 2023
Closed
58 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferruzzi ferruzzi ferruzzi approved these changes

@eladkal eladkal eladkal approved these changes

@vincbeck vincbeck vincbeck approved these changes

@o-nikolas o-nikolas Awaiting requested review from o-nikolas

Assignees

No one assigned

Labels

area:providers provider:amazon AWS/Amazon - related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Taragolis @ferruzzi @eladkal @vincbeck