CODEWITHSUNDEEP
typescriptaws-cdk
KatKibo
KatKibo

Reputation: 143

Hide CfnOutput values in CDK console log

I'm using CfnOutout in my TypeScript CDK code and would like to output secret values, but at the same time hide them from the console log. This is how I use them:

const accessKey = new CfnAccessKey(this, 'testUserKey', {
  userName: testUser.userName,
});

const accessKeyId = new CfnOutput(this, 'accessKey', { value: accessKey.ref });
const attrSecretAccessKey = new CfnOutput(this, 'secretAccessKey', { value: accessKey.attrSecretAccessKey });

Is there a way to stop CDK from showing them in the console logs? Currently CDK shows them in the log as below:

Outputs:
stagingConsulComponents.accessKey = ADGHHBAS26TGDRGV
stagingConsulComponents.secretAccessKey = JKGHDJhdskjhfzhfsdjdafhJHJdd

Upvotes: 0

Views: 516

Answers (2)

Felipe Costa
Felipe Costa

Reputation: 21

I don't think CDK can make an output "sensitive" and hide from the console, you can use sed as the first answer, and that will solve. I would recommend, if you can, push these credentials to AWS secret manager and pull them, so in this case, you don't even need to output them and they will never be in plain text:

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager-readme.html

https://docs.aws.amazon.com/cdk/v2/guide/get_secrets_manager_value.html

Upvotes: 2

Matthew Bonig
Matthew Bonig

Reputation: 2136

It doesn't appear there is any way to suppress the output of those values. However, a little sed work could get you there:

$ cdk deploy ... | sed -E "s/(accessKey) = (.*)$/\1 = masked/" | sed -E "s/(secretAccessKey) = (.*)$/\1 = masked/"

Upvotes: 1

Related Questions