1

The two lines of bash code below pull a secret into a cloud-init script for an Azure VM running RHEL8. But each of the two lines has an unintended side effect of printing the secret into the cloud-init logs for the entire world to see.

What specifically must be changed in the two lines below in order to prevent them from printing out the secret into the logs?

myVar=$(az keyvault secret show --name "mySecretsFile" --vault-name "$VAULT_NAME" --query "value")
echo "$myVar" | base64 --decode --ignore-garbage >>/home/username/somefoldername/keys.yaml

The logs for the two above lines look like the following, except that here we have redacted the actual secret for the public forum. In the actual logs, the secret is printed twice:

+ myVar='"really-long-alpha-numeric-secret-redacted-for-stack-exchange"'
+ echo '"really-long-alpha-numeric-secret-redacted-for-stack-exchange"'

This might be a simple bash question about how to suppress printing of certain types of things in logs.

jonrsharpe
  • 103
  • 2
CodeMed
  • 5,079
  • 45
  • 100
  • 147
  • Could it be [the configuration of the `az` cli](https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration)? – schrodingerscatcuriosity Sep 30 '22 at 01:27
  • @schrodingerscatcuriosity perhaps the first line, but the second line doesn't invoke `az`. – Sotto Voce Sep 30 '22 at 01:41
  • Are you using `set -x` in the script? – muru Sep 30 '22 at 02:13
  • @muru No, the script does not use `set -x` – CodeMed Sep 30 '22 at 02:26
  • What do these log lines look like? (Aside: this is hardly easy to reproduce - you'd at least need an Azure account and configure a keyvault or whatever, and possibly set up a RHEL8 instance with a cloud-init script if this behaviour only happens in the cloud-init script and not, say, if you ran these commands in the terminal directl.y) – muru Sep 30 '22 at 02:39
  • @muru I just added the 2 log lines to the end of the OP. This might just be a bash question. Does this help? – CodeMed Sep 30 '22 at 03:01
  • 3
    That log definitely looks like what you'd see if you had `set -x` (or, equivalently, the shebang said `#! /bin/bash -x`, etc.). – muru Sep 30 '22 at 03:03
  • @muru packer might have `set -x` as a default wrapped around this cloud-init script. Is there a command I could add within the script to inhibit this behavior? I can run the automation any time with small changes. It takes perhaps 15 minutes to run the automation in which this happens. – CodeMed Sep 30 '22 at 03:08
  • @CodeMed `set +x` – Sotto Voce Sep 30 '22 at 04:31
  • @CodeMed `set +o` can provide the values of the options before your script disabled tracing with `set +x`, so your script can restore the option values afterward. I would suggest you have the Packer scripts not use `-x` because it's not helpful after the scripts have been debugged, and as you've seen, it's harmful via the exposure of sensitive data the scripts need to handle. – Sotto Voce Sep 30 '22 at 04:45
  • 1
    Can you give more details on the cloud-init setup? Are you passing this script as userdata to the instance? Can you provide a pastebin (with sensitive data redacted of course) of your userdata? Which log(s) specifically contain these messages? – falcojr Sep 30 '22 at 13:53

1 Answers1

1

The quickest and easiest solution would probably be to use set +x to disable the shell tracing option that seems to have been set in a parent script.

Ultimately a better solution is to remove the set -x in the parent script. After these scripts are tested and debugged, tracing options like set -x are not helpful anymore, and, as this example shows, can even be harmful by unexpectedly exposing sensitive credentials or other data.

I have written scripts invoked from userdata on cloud servers, and parent/child scripts that were run under cloud-init. My scripts had a line near the top to enable tracing, but the versions checked into the source code repo always had the line commented out: #set -x

It was available to uncomment for on-the-spot troubleshooting, but never by default.

Sotto Voce
  • 3,664
  • 1
  • 8
  • 21