Deprecate `aws config credentials` command · serverless/serverless#11763

(11 comments) (0 reactions) (0 assignees)JavaScript (46,915 stars) (5,734 forks)batch import

cat/aws-authdeprecationgood first issuehelp wanted

説明

Are you certain it's a bug?

Yes, it looks like a bug

Is the issue caused by a plugin?

It is not a plugin issue

Are you using the latest v3 release?

Yes, I'm using the latest v3 release

Is there an existing issue for this?

I have searched existing issues, it hasn't been reported yet

Issue description

https://www.serverless.com/framework/docs/providers/aws/guide/credentials/#using-aws-access-keys

You instruct users to run:

serverless config credentials \
  --provider aws \
  --key AKIAIOSFODNN7EXAMPLE \
  --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

passing secrets in the CLI is not secure! This logs the secret in plaintext in the users bash/zsh history! Instead, the command should be interactive taking in the input via stdin interactively so it's not logged into the shell's history.

I classified this as a bug because you're telling users to do something that is widely regarded as a bad security practice, and then you're referring to that as "the permanent" solution implying that it is secure or suitable for production environments.

Service configuration (serverless.yml) content

n/a

Command name and used flags

n/a

Command output

n/a

Environment information

n/a

コントリビューターガイド

技術スタック: javascriptnodejs
領域: clicloudsecurity
Issue 種別: bug
難度: 3
推定時間: 1-3 hours
活動状況: stale
明確さ: clear
前提条件: Node.jsAWS CLI patterns
初心者向け度: 75
調査方針: Locate the command handler for 'config credentials' in the Serverless Framework codebase. Modify the command to prompt for AWS key and secret via stdin interactively using Node.js readline instead of accepting them as CLI arguments. Ensure backward compatibility by deprecating the old flags. Update existing tests and add new tests for interactive input.