Avoid committing hard coded secrets #1324
Comments
johnkrah-aws
added a commit
to johnkrah-aws/google-auth-library-python
that referenced
this issue
Jun 7, 2023
We recommend (1) removing these secrets from code and (2) rotating the account access secret key to prevent unauthorized use by anyone who has seen the credentials written here. Consider using AWS Secrets Manager to store and access credentials, here’s a more detailed explanation https://maturitymodel.security.aws.dev/en/2.-foundational/dont-store-secrets-in-code/ why this is a best practice and a helpful guide https://docs.aws.amazon.com/secretsmanager/latest/userguide/hardcoded.html how to implement. Alternately in case these are purely test strings we recommend using a recognizably mocked value to assure that there is no accidental disclosure of credentials suggestec by https://docs.aws.amazon.com/STS/latest/APIReference/API_GetAccessKeyInfo.html and https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html.
johnkrah-aws
added a commit
to johnkrah-aws/google-auth-library-python
that referenced
this issue
Jun 7, 2023
We recommend (1) removing these secrets from code and (2) rotating the account access secret key to prevent unauthorized use by anyone who has seen the credentials written here. Consider using AWS Secrets Manager to store and access credentials, here’s a more detailed explanation https://maturitymodel.security.aws.dev/en/2.-foundational/dont-store-secrets-in-code/ why this is a best practice and a helpful guide https://docs.aws.amazon.com/secretsmanager/latest/userguide/hardcoded.html how to implement. Alternately in case these are purely test strings we recommend using a recognizably mocked value to assure that there is no accidental disclosure of credentials suggested by https://docs.aws.amazon.com/STS/latest/APIReference/API_GetAccessKeyInfo.html and https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html.
clundin25
pushed a commit
that referenced
this issue
Jun 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Please run down the following list and make sure you've tried the usual "quick fixes":
looked and didn't see an open or closed issue related to this finding.
If you are still having issues, please be sure to include as much information as possible:
Environment details
environment is probably not relevant to this static code finding, but just in case:
google-authversion: 2.19.1Steps to reproduce
Making sure to follow these steps will guarantee the quickest resolution possible.
Thanks!
Welcome! Posting this issue for tracking, already have a pull request ready to resolve this finding. Thank you!
The text was updated successfully, but these errors were encountered: