Maintenance: Avoid Excessive Secret Exposure through dynamically accessed secrets in workflow #4365
Description
Summary
We should only pass those secrets that are needed by the workflow and avoid using dynamically accessed secrets such as secrets[format('GH_PAT_%s', matrix.env)] since the workflow will need to receive all secrets to decide at runtime which one needs to be used.
This is a medium CodeQL finding:
- https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/195
- https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/194
- https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/193
- https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/192
- https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/191
Why is this needed?
When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow.
Which area does this relate to?
Automation
Solution
strategy:
matrix:
env: [PROD, DEV]
---
if: matrix.env == "PROD"
env:
GH_TOKEN: ${{ secrets.GH_PAT_PROD }}
---
if: matrix.env == "DEV"
env:
GH_TOKEN: ${{ secrets.GH_PAT_DEV }}Acknowledgment
- This request meets Powertools for AWS Lambda (TypeScript) Tenets
- Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET
Future readers
Please react with 👍 and your use case to help us understand customer demand.