)]}' { "commit": "b0d4cdb1eeeff04fabe2196c05089bbdefa26047", "tree": "71435491c5e8ffde413ff0b512ab7115b0796201", "parents": [ "9573c13884bdfd563c989311e432dcb11e6a1830" ], "author": { "name": "Daniel Roschka", "email": "danielroschka@phoenitydawn.de", "time": "Fri Dec 30 08:41:24 2016 +0100" }, "committer": { "name": "Daniel Roschka", "email": "danielroschka@phoenitydawn.de", "time": "Fri Dec 30 08:41:24 2016 +0100" }, "message": "Improve searching for configured AWS credentials\n\nThe previous approach for finding AWS credentials was pretty naive and\nonly covered contents of a single file (~/.aws/credentials by\ndefault).\n\nThe AWS CLI documentation states various other ways to configure\ncredentials which weren\u0027t covered:\nhttps://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials\nEven that aren\u0027t all ways, a look into the code shows:\nhttps://github.com/boto/botocore/blob/develop/botocore/credentials.py\n\nThis commit changes the behavior so the hook will behave in a way\nthat if the AWS CLI is able to obtain credentials from local files,\nthe hook will find them as well.\n\nThe changes in detail are:\n- detect AWS session tokens and handle them like secret keys.\n- always search credentials in the default AWS CLI file locations\n ( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)\n- detect AWS credentials configured via environment variables in\n AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN\n- check additional configuration files configured via environment\n variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and\n BOTO_CONFIG)\n- print out the first four characters of each secret found in files to\n be checked in, to make it easier to figure out, what the secrets\n were, which were going to be checked in\n- improve error handling for parsing ini-files\n- improve tests\n\nThere is a major functional change introduced by this commit:\nLocations the AWS CLI gets credentials from are always searched and\nthere is no way to disable them. --credentials-file is still there to\nspecify one or more additional files to search credentials in. It\u0027s\nthe purpose of this hook to find and check files for found\ncredentials, so it should work in any case. As this commit also\nimproves error handling for not-existing or malformed configuration\nfiles, it should be no big deal.\n\nReceiving credentials via the EC2 and ECS meta data services is not\ncovered intentionally, to not further increase the amount of changes\nin this commit and as it\u0027s probably an edge case anyway to have this\nhook running in such an environment.\n", "tree_diff": [ { "type": "modify", "old_id": "603e08c5ee8670794d32746f9b7f0ff5ab68e34f", "old_mode": 33188, "old_path": "README.md", "new_id": "51c44445e952c04fbe7bd752a52b194c2587ddcd", "new_mode": 33188, "new_path": "README.md" }, { "type": "modify", "old_id": "9dda217760c73e6f5575ddbac7a9626bf2b03e64", "old_mode": 33188, "old_path": "pre_commit_hooks/detect_aws_credentials.py", "new_id": "420333d5dec97983c4d36f5c91f0833e31b343ac", "new_mode": 33188, "new_path": "pre_commit_hooks/detect_aws_credentials.py" }, { "type": "rename", "old_id": "a79b0212536483f027b4ddc0be937297da340666", "old_mode": 33188, "old_path": "testing/resources/sample_aws_credentials", "new_id": "ca6a8a3b66c8a3a0a36b37a623ecdda72d0a8e12", "new_mode": 33188, "new_path": "testing/resources/aws_config_with_multiple_sections.ini", "score": 72 }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "bb55017f45d6305dd662b60132aa46c7ea671bf4", "new_mode": 33188, "new_path": "testing/resources/aws_config_with_secret.ini" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "4bd675dd92af4a340a62eeac4affb3757a536f48", "new_mode": 33188, "new_path": "testing/resources/aws_config_with_secret_and_session_token.ini" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "e07f2ac7025be4cc0e86544fa1a886dd4f4b3d7d", "new_mode": 33188, "new_path": "testing/resources/aws_config_with_session_token.ini" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "26d1692a4430e898fa2f084f9abb0da84f4ea6b8", "new_mode": 33188, "new_path": "testing/resources/aws_config_without_secrets.ini" }, { "type": "delete", "old_id": "d9ab5050a03b67ad3f95a6c01b0a6ce4e33afb22", "old_mode": 33188, "old_path": "testing/resources/with_no_secrets.txt", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "001822556dae37cbb6c17419c819fa404ef246b0", "old_mode": 33188, "old_path": "testing/resources/with_secrets.txt", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "modify", "old_id": "66513fe906dfc5e292eed2b7a5a6030f07222270", "old_mode": 33188, "old_path": "tests/detect_aws_credentials_test.py", "new_id": "410a33f735dd5a13470edcb27adbdbb7144250f3", "new_mode": 33188, "new_path": "tests/detect_aws_credentials_test.py" } ] }