Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redact ECR layer URLs from container pull errors #3885

Merged
merged 2 commits into from
Sep 5, 2023
Merged

Redact ECR layer URLs from container pull errors #3885

merged 2 commits into from
Sep 5, 2023

Conversation

prateekchaudhry
Copy link
Contributor

@prateekchaudhry prateekchaudhry commented Sep 1, 2023
edited
Loading

Summary

Redact error messages with URLs containing references to string starport-layer-bucket (ECR buckets). ECR buckets named as prod-region-starport-layer-bucket are used to fetch image layers from.

This redaction is done because container runtime's request may sometimes contain security tokens when accessing ECR buckets for pulling layers. When these requests error out, the URLs with secrets may get bubbled up to Agent logs and ECS logs through Reason field in Submit Task State Change calls. So we redact the otherwise hidden URLs for security.

Implementation details

Replace regex \"?https[^\s]+starport-layer-bucket[^\s]+ with a string message containing image reference

Testing

  • Unit tests are added and verified with
  • Manually verified this doesn't affect some common Container Pull error messages like
DockerGoClient: failed to pull image <acc id>.dkr.ecr.us-west-2.amazonaws.com/benchmark-app:latest: [CannotPullContainerError] Error response from daemon: pull access denied for <acc id>.dkr.ecr.us-west-2.amazonaws.com/benchmark-app, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::<acc id>:assumed-role/ecsInstanceRole/<inst id> is not authorized to perform....

New tests cover the changes:
Yes

Description for the changelog

Redact ECR layer URLs from container pull errors

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@prateekchaudhry prateekchaudhry requested a review from a team as a code owner September 1, 2023 16:32
@prateekchaudhry prateekchaudhry force-pushed the starportRedact branch 2 times, most recently from 154de97 to 7624c56 Compare September 1, 2023 19:37
@prateekchaudhry prateekchaudhry changed the title [WIP] Redact ECR layer URLs from container pull errors Redact ECR layer URLs from container pull errors Sep 1, 2023
fierlion
fierlion requested changes Sep 1, 2023
View reviewed changes
agent/dockerclient/dockerapi/errors.go
if err == nil {
return nil
}
urlRegex := regexp.MustCompile(`\"?https[^\s]+starport-layer-bucket[^\s]+`)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're being very prescriptive in this redact function (ie this applies only to ECR). This is fine for now. I can see this being applicable to more cases in future.

Also nit maybe we call this not str, but image so it's clear that the error returns the image in place of the redacted URL?

Copy link
Contributor

@mythri-garaga mythri-garaga Sep 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

synced up offline with @prateekchaudhry, for now we are restricting redacting only ECR's URLs containing starport-layer-bucket bucket name and cannot make this regex expression more generic as there is no evidence of other URLs containing security token and might need them for debugging purpose.

Copy link
Contributor Author

@prateekchaudhry prateekchaudhry Sep 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is right, being prescriptive is the intention - we can make it more generic if we have to in future.

Ack, I'll replace str with overrideStr to keep the function usage generic and more clear, if that is fine.

@prateekchaudhry prateekchaudhry merged commit fb2a006 into aws:dev Sep 5, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mythri-garaga mythri-garaga mythri-garaga approved these changes

@fierlion fierlion fierlion approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@prateekchaudhry @fierlion @mythri-garaga @amazon-ecs-bot