pulsar furnace
I'm using the Node SDK to create an AWS Lambda and setting various AWS secrets using setSecret. When the pipeline errors out, I can see string values in the output, like below. Initially I thought these were the actual secret values but on checking further, it looks like they are encoded strings (the values starting with ey... below, truncation by me). I was thrown because I expected all secret values to be masked with asterisks. Is it safe to have these values appear in stderr output ie. can they be used to deduce the original secret value?
Stderr:\nAn error occurred (InvalidParameterValueException) when calling the UpdateFunctionCode operation: Source image xxx.dkr.ecr.us-east-1.amazonaws.com/vikramtest:latest@sha256xxx is not valid. Provide a valid source image.","locations":[{"line":2,"column":849}],"path":["container","from","withExec","withSecretVariable","withSecretVariable","withSecretVariable","withExec","withExec","exitCode"]}],"status":200,"headers":{}},"request":{"query":"\n { container { from (address: \"alpine:3.17.3\") { withExec (args: [\"apk\",\"add\",\"aws-cli\"]) { withSecretVariable (name: \"AWS_ACCESS_KEY_ID\",secret: \"ey...==\") { withSecretVariable (name: \"AWS_SECRET_ACCESS_KEY\",secret: \"ey...=\") { withSecretVariable (name: \"GITHUB_API_TOKEN\",secret: \"ey...==\") { withExec (args: [\"sh\",\"-c\",\"aws lambda update-function-code --function-name myFunctionNodeCtr --image-uri xxx.dkr.ecr.us-east-1.amazonaws.com/vikramtest:latest@sha256xxx --region us-east-1\"]) { withExec (args: [\"sh\",\"-c\",\"aws lambda update-function-configuration --function-name myFunctionNodeCtr --environment Variables={GITHUB_API_TOKEN=$GITHUB_API_TOKEN} --region us-east-1\"]) { exitCode }}}}}}}} }\n "}}