According to the Orca researchers, it is a common practice to store credentials needed by these commands to execute successfully in environment variables in the Linux command-line environments used by these CLIs. The problem is that some of the AWS and Gcloud CLI commands also return these environment variables to stdout (standard output on Unix systems) as part of the command’s execution.
For AWS CLI the Lambda get-function-configuration, get-function, update-function-configuration, update-function-code and publish-version exhibit this behavior. Lambda is AWS’s serverless computing platform that allows developers to execute code and applications directly without provisioning virtual servers. For Gcloud CLI the gcloud functions deploy <func> –set-env-vars, –update-env-vars and –remove-env-vars returns values stored in environment variables.
“If the developer isn’t aware of it, even using secret masking via GitHub Actions / Cloudbuild will not do, because there may be pre-existing environment variables in the cloud function,” the researchers said.
Mitigation to avoid the leak of secrets
AWS will update its documentation to make the risks clearer to users. The company advises customers not to store sensitive values in environment variables and instead use the purpose-built secure secrets store such as AWS Secrets Manager. Users are also advised to review their build logs to ensure there are no secrets in them and to suppress sensitive command outputs by directing it to /dev/null. Access to build logs should also be restricted to only users who need to have it.
Google Cloud had similar recommendations, according to the Orca researchers. The company noted that command output can be suppressed by using the “–no-user-output-enabled” flag and that secrets can be stored securely by using the “gcloud deploy command” with the “–set-secrets” and “–update-secrets” options.