Open
Description
S3 credentials used to create a Secondary Storage instance are leaked to the following files:
- /var/log/cloudstack/management/access.log
- /var/log/cloudstack/management/management-server.log
Although the debug mode is enabled, I don't recommend logging secrets like S3 credentials.
Example entry containing the S3 credentials (sensitive information is redacted):
2025-02-06 15:50:37,093 DEBUG [o.a.c.s.r.NfsSecondaryStorageResource] (pool-15-thread-1:[ctx-5601ecaa]) (logid:e97c1c85) Executing command "DownloadCommand" [
{
"hvm": false,
"description": "SystemVM Template (KVM)",
"checksum": "6bb8edf3c062ed5625a3a8f17b3eedc9",
"maxDownloadSizeInBytes": 53687091200,
"id": 3,
"resourceType": "TEMPLATE",
"installPath": "template/tmpl/1/3/routing-3",
"_store": {
"id": 2,
"uuid": "0f1bd354-0dc3-4e65-a370-6b02acec0735",
"accessKey": "<redacted>",
"secretKey": "<redacted>",
"endPoint": "http://<redaced>",
"bucketName": "cloudstack",
"httpsFlag": false,
"created": "Feb 6, 2025, 3:50:27 PM",
"enableRRS": false,
"maxSingleUploadSizeInBytes": 5368709120
},
"followRedirects": false,
"url": "https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.0-x86_64-kvm.qcow2.bz2",
"format": "QCOW2",
"accountId": 1,
"name": "routing-3",
"contextMap": {},
"wait": 0,
"bypassHostMaintenance": false
}
]
versions
CloudStack: 4.20.0.0
Hypervisor: KVM
Secondary Storage: Ceph RGW S3
Distro: Ubuntu 22.04 LTS
The steps to reproduce the bug
- Deploy CloudStack Management server version 4.20.0.0
- Create a Secondary Storage using S3 credentials (accessKey and secretKey)
- Grep the log file directory for the secret key:
grep <secretKey> -R /var/log/cloudstack/management/{access,management-server}.log
What to do about it?
Redact at least the secretKey from the log entry.
Metadata
Metadata
Assignees
Type
Projects
Status
Todo