Elastic Agents plugin (?) decrypts AWS keys in config
24 views
Skip to first unread message
Reza Etezal
Feb 10, 2022, 1:54:22 AM2/10/22
to go-cd
We are using GOCD v21.3.0 and Elastic Agent plugin v7.0.0-4.
We noticed that the AWS keys were being kept in plaintext in the UI on the Elastic Agents plugin page some of the time. Sometimes the values were asterisks, but sometimes they were plaintext.
As an audit mechanism, we push /var/lib/go-server/db/config.git to our git repo, and I noticed that "anonymous" was in fact decrypting the AWS keys and keeping them as plaintext in the cruise-config.xml file. We have deleted the sensitive information from git and have stopped pushing the config.
I'm not sure if the plugin, or the application itself is doing this, but it seems like a very bad thing to do.
/var/lib/go-server/db/config.git $ git log -2
commit b59ce12641c95f0a1115d4a41d05e15c55ea2a69 (HEAD -> master, origin/master)
Author: anonymous <sup...@thoughtworks.com>
Date: Thu Feb 10 03:04:46 2022 +0000
user:anonymous|timestamp:1644462286044|schema_version:139|go_edition:OpenSource|go_version:21.3.0 (13067-4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595)|md5:bfdb1c2b01e1d12160157a43f0084a09
commit 2e062be833ae1c773eea3284d8129470e1ee9c5d
Author: Upgrade <sup...@thoughtworks.com>
Date: Thu Feb 10 03:04:43 2022 +0000
user:Upgrade|timestamp:1644462283228|schema_version:139|go_edition:OpenSource|go_version:21.3.0 (13067-4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595)|md5:d8157d571d3c607034b98177681bdd9b
commit b59ce12641c95f0a1115d4a41d05e15c55ea2a69 (HEAD -> master, origin/master)
Author: anonymous <sup...@thoughtworks.com>
Date: Thu Feb 10 03:04:46 2022 +0000
user:anonymous|timestamp:1644462286044|schema_version:139|go_edition:OpenSource|go_version:21.3.0 (13067-4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595)|md5:bfdb1c2b01e1d12160157a43f0084a09
commit 2e062be833ae1c773eea3284d8129470e1ee9c5d
Author: Upgrade <sup...@thoughtworks.com>
Date: Thu Feb 10 03:04:43 2022 +0000
user:Upgrade|timestamp:1644462283228|schema_version:139|go_edition:OpenSource|go_version:21.3.0 (13067-4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595)|md5:d8157d571d3c607034b98177681bdd9b
Chad Wilson
Feb 13, 2022, 1:46:31 AM2/13/22
to go...@googlegroups.com
Hi Reza
Thanks for reporting. No I don't think this is intentional.
-Chad
Not sure if this is due to the plugin or elastic agent cluster profiles in general at this stage, but will contact you off-list to get a bit more information, as need a bit more help tracking the trigger(s) down at this stage as it doesn't seem to be happening entirely deterministically.
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/0b4270c6-a5e7-4d42-82b6-6654a0d0c361n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages