Describe the bug
When a credential provider is used, the CDK CLI prints the credentials received from the plugin in the console output.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
CDK CLI should not print credentials in the output to avoid security risks.
Current Behavior
The output includes sensitive information, such as accessKeyId, secretAccessKey, and sessionToken, as shown below:
{
accessKeyId: 'ASIAXXXXXXXXXXXXXXXXX',
secretAccessKey: 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY',
sessionToken: 'ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ',
expiration: 2025-02-11T17:27:31.000Z,
'$source': { CREDENTIALS_SSO: 's', CREDENTIALS_PROFILE_SSO: 'r' }
} 1739276852684
Reproduction Steps
- Configure a credential provider in AWS CDK.
- Run a CDK command that triggers credential fetching (e.g.,
cdk diff).
- Observe that the credentials are printed in the console output.
Possible Solution
Remove this line:
|
info(format(current), Date.now()); |
Additional Information/Context
No response
CDK CLI Version
2.178.1
Framework Version
No response
Node.js Version
22.11.0
OS
Ubuntu 24.04
Language
TypeScript
Language Version
5.7.3
Other information
No response
Describe the bug
When a credential provider is used, the CDK CLI prints the credentials received from the plugin in the console output.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
CDK CLI should not print credentials in the output to avoid security risks.
Current Behavior
The output includes sensitive information, such as
accessKeyId,secretAccessKey, andsessionToken, as shown below:Reproduction Steps
cdk diff).Possible Solution
Remove this line:
aws-cdk/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
Line 154 in c400e0e
Additional Information/Context
No response
CDK CLI Version
2.178.1
Framework Version
No response
Node.js Version
22.11.0
OS
Ubuntu 24.04
Language
TypeScript
Language Version
5.7.3
Other information
No response