Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Boto3 logs printing SecretString when log level is set to debug

See original GitHub issue

I’ve written a code which gets a secret from Secrets Manager. here’s the code snippet


import logging
import boto3

logging.basicConfig(format='%(asctime)s,%(msecs)d %(levelname)-8s'
                           ' [%(filename)s:%(lineno)d] %(message)s',
                    datefmt='%Y-%m-%d:%H:%M:%S',
                    level=logging.DEBUG)

logger = logging.getLogger()
logger.setLevel(logging.DEBUG)

database_creds = boto3 \
    .client(service_name="secretsmanager",
            region_name='us-west-2',
            aws_access_key_id='my-access-key',
            aws_secret_access_key='my-secret-key',
            aws_session_token='my-session-token') \
    .get_secret_value(SecretId='my-key') \
    .get('SecretString')

Now this code works fine but the problem I have is with logging. This produces log as below

2020-02-14:13:17:30,139 DEBUG    [auth.py:367] StringToSign:
AWS4-HMAC-SHA256
20200214T074730Z
20200214/us-west-2/secretsmanager/aws4_request
27fb77a9b42454155485fd050fcf5c20e2eb530ab767d9c82acc4bd61319d325
2020-02-14:13:17:30,140 DEBUG    [auth.py:369] Signature:
21c66d87431be49d3bea56e61824beb460fd49f86730e2fb67cb25d81098d120
2020-02-14:13:17:30,140 DEBUG    [endpoint.py:187] Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://secretsmanager.us-west-2.amazonaws.com/, headers={'X-Amz-Target': b'secretsmanager.GetSecretValue', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'Boto3/1.11.5 Python/3.7.4 Windows/10 Botocore/1.14.5', 'X-Amz-Date': b'20200214T074730Z', 'X-Amz-Security-Token': b'FwoGZXIvYXdzEMn//////////wEaDLkioZ+JZ5nq', 'Authorization': b'AWS4-HMAC-SHA256 Credential=ASIAW7AJJER2YMO35N5M/20200214/us-west-2/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=21c66d87431be49d3bea56e61824beb460fd49f86730e2fb67cb25d81098d120', 'Content-Length': '47'}>
2020-02-14:13:17:30,141 DEBUG    [connectionpool.py:959] Starting new HTTPS connection (1): secretsmanager.us-west-2.amazonaws.com:443
2020-02-14:13:17:31,720 DEBUG    [connectionpool.py:437] https://secretsmanager.us-west-2.amazonaws.com:443 "POST / HTTP/1.1" 200 282
2020-02-14:13:17:31,721 DEBUG    [parsers.py:234] Response headers: {'Date': 'Fri, 14 Feb 2020 07:47:31 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '282', 'Connection': 'keep-alive', 'x-amzn-RequestId': '7f3cfcdd-7e63-4b80-83b4-48e7827b5ee6'}
2020-02-14:13:17:31,721 DEBUG    [parsers.py:235] Response body:
b'{"ARN":"arn:aws:secretsmanager:us-west-2:478908327029:secret:my-secret","CreatedDate":1.57531457696E9,"Name":"my-secret","SecretString":"YOU-SHOULDNT-BE-SEEING-THIS","VersionId":"9c5effcf-2d48-439d-8dae-2b0da7dbfb7f","VersionStages":["AWSCURRENT"]}'
2020-02-14:13:17:31,721 DEBUG    [hooks.py:210] Event needs-retry.secrets-manager.GetSecretValue: calling handler <botocore.retryhandler.RetryHandler object at 0x045FFCD0>
2020-02-14:13:17:31,721 DEBUG    [retryhandler.py:187] No retry needed.

Interesting line is this

2020-02-14:13:17:31,721 DEBUG    [parsers.py:235] Response body:
b'{"ARN":"arn:aws:secretsmanager:us-west-2:478908327029:secret:my-secret","CreatedDate":1.57531457696E9,"Name":"my-secret","SecretString":"YOU-SHOULDNT-BE-SEEING-THIS","VersionId":"9c5effcf-2d48-439d-8dae-2b0da7dbfb7f","VersionStages":["AWSCURRENT"]}'

Here, Secret is getting printed.

Irrespective of whether the debug mode is on or off. The secrets are never supposed to be get printed.