Remove `access_token` from logs

[djahandarie]

Currently, if you enable GOOGLE_SDK_NODE_LOGGING to get extra logging, both the instance request and the instance metadata are logged.

Unfortunately, the latter includes an access_token in it, which is rather dangerous to log.

I can imagine two solutions:

• Remove the access_token from the log, and maybe introduce another env var like INCLUDE_ACCESS_TOKEN_IN_LOG if someone really wants it
• Split the logger into two subloggers (request/response?) which would allow the user to configure which one they want with GOOGLE_SDK_NODE_LOGGING https://github.com/googleapis/gax-nodejs/tree/main/logging-utils#logging

[sofisl]

@feywind I think this is something customizable? What is the correct logging for sensitive-level information?

[feywind]

Yeah, the design for this is to include absolutely everything, which ends up including some sensitive data too. :| It's not configurable outside of just not including the problematic piece in the output (e.g. auth). Let's see if @dazuma has thoughts here.