Add changelog entry, enable printing via env var

smithy-lang · Apr 20, 2023 · 75461b9 · 75461b9
1 parent c800e5c
commit 75461b9
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml
@@ -128,3 +128,19 @@ message = "Fix server code generation bug affecting constrained shapes bound wit
 references = ["smithy-rs#2583", "smithy-rs#2584"]
 meta = { "breaking" = false, "tada" = false, "bug" = true, "target" = "server" }
 author = "david-perez"
+
+[[aws-sdk-rust]]
+message = """Reduce several instances of credential exposure in the SDK logs:
+- IMDS now suppresses the body of the response from logs
+- `aws-sigv4` marks the `x-amz-session-token` header as sensitive
+- STS & SSO credentials have been manually marked as sensitive which suppresses logging of response bodies for relevant operations
+"""
+author = "rcoh"
+references = ["smithy-rs#2603"]
+meta = { "breaking" = false, "tada" = false, "bug" = false }
+
+[[smithy-rs]]
+message = "Add a sensitive method to `ParseHttpResponse`. When this returns true, logging of the HTTP response body will be suppressed."
+author = "rcoh"
+references = ["smithy-rs#2603"]
+meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client" }
diff --git a/rust-runtime/aws-smithy-http/src/middleware.rs b/rust-runtime/aws-smithy-http/src/middleware.rs
@@ -21,6 +21,8 @@ use tracing::{debug_span, trace, Instrument};
 
 type BoxError = Box<dyn Error + Send + Sync>;
 
+const LOG_SENSITIVE_BODIES: &str = "LOG_SENSITIVE_BODIES";
+
 /// [`AsyncMapRequest`] defines an asynchronous middleware that transforms an [`operation::Request`].
 ///
 /// Typically, these middleware will read configuration from the `PropertyBag` and use it to
@@ -132,8 +134,14 @@ where
     };
 
     let http_response = http::Response::from_parts(parts, Bytes::from(body));
-    if !handler.sensitive() {
+    if !handler.sensitive()
+        || std::env::var(LOG_SENSITIVE_BODIES)
+            .map(|v| v.eq_ignore_ascii_case("true"))
+            .unwrap_or_default()
+    {
         trace!(http_response = ?http_response, "read HTTP response body");
+    } else {
+        trace!(http_response = "** REDACTED **. To print, set LOG_SENSITIVE_BODIES=true")
     }
     debug_span!("parse_loaded").in_scope(move || {
         let parsed = handler.parse_loaded(&http_response);