DXE-4201 akamai_cloudaccess_key should handle cloud_secret_access_key as sensitive value

[rolmo]

Hi there,

akamai_cloudaccess_key should handle cloud_secret_access_key as sensitive value

Terraform and Akamai Terraform Provider Versions

• Terraform: v1.9.5
• Akamai provider: 6.4

Affected Resource(s)

• akamai_cloudaccess_key

Terraform Configuration Files

resource "akamai_cloudaccess_key" "test" {
  access_key_name       = "test"
  authentication_method = "AWS4_HMAC_SHA256"
  group_id              = 12345
  contract_id           = "G-XXXXX"
  network_configuration = {
    security_network = "STANDARD_TLS"
  }
  credentials_a = {
    cloud_access_key_id     = var.access_key_id
    cloud_secret_access_key = var.secret_access_key
    primary_key             = false
  }
}

Debug Output

A terraform apply shows this output:

# akamai_cloudaccess_key.test will be created
+ resource "akamai_cloudaccess_key" "test" {
    + access_key_name       = "test"
    + access_key_uid        = (known after apply)
    + authentication_method = "AWS4_HMAC_SHA256"
    + contract_id           = "G-XXXXX"
    + credentials_a         = {
        + cloud_access_key_id     = "AKIA4xxxxxxxxxxxxxx"
        + cloud_secret_access_key = "my_very_secret_key_is_shown_here!!!"
        + primary_key             = true
        + version                 = (known after apply)
        + version_guid            = (known after apply)
      }
    + group_id              = 12345
    + network_configuration = {
        + security_network = "STANDARD_TLS"
      }
    + primary_guid          = (known after apply)
  }

Expected Behavior

At least the cloud_secret_access_key should handled as "sensitive"

Actual Behavior

The key is displayed - and thus also stored in the output of our CI/CD (Github Action) and can be viewed by many users.

This is a blocker and prohibits the use of this Terraform resource!

[mimazaka]

Hello @rolmo,

We are aware that secret was visible on terraform apply. Some features like import and export even base on comparison of access key secret to value which we have in exported configuration. But you are right, that we did not consider that terraform logs maybe reveled in Github actions output.

I will create ticket to make them sensitive on schema level, and align it to our import/export logic, but in meantime as I noticed that you are using .var file to may add sensitive = true flag to these variables, to hide them in cli output as temporary solution.

Additionally I would like to warn, that even though we will make this secret sensitive on schema level, it can be viewed in state file. It is stored in state as plain text. Storing sensitive values in state is commonly known issue in Terraform community, and the only recommendation we may provide to store state file in secure place, and not reveal it. We also mention it in our CAM documentation.

If you will have any additional questions, please ask we will do our best to reply to them.

Regards,
Michał

[rolmo]

Hi Michał,

okay, marking the variable with "sensitive=true" helps here. We can use the resource this way. And yes, i know about the stored secrets in state file - but our state files are much more protected then the output of the Github actions.