Don't hide account ID in Actions logs by default

[danielcompton]

According to https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/ which was confirmed with AWS:

“Account IDs are not considered sensitive. Based on your feedback,
we’ve started updating our documentation to make this more clear.”

[peterwoodworth]

Thanks for the feature request @danielcompton, the request makes a lot of sense.

This is something we won't want to implement until we release a new major version however. I'm concerned that customers using v1 who are still concerned with their account id security may be caught off-guard by this sudden change if we were to implement this in our current major version. We already document and support the option to unmask the value, so the benefit this brings isn't quite worth the risk of altering the functionality in a non-major version release imo. I'll be closing the PR you've been so helpful to contribute, thanks for letting us know about this desired functionality 🙂

[RyPeck]

We already document and support the option to unmask the value

@peterwoodworth where is that option?

[peterwoodworth]

@RyPeck I was wrong about us documenting it, we have an issue open tracking adding this to our docs

You can use mask-aws-account-id and set it to false. I'll see about getting an example up on our readme next week probably

[mike-dodge-eq]

Is there an ETA for the next major version (presumably v2)? Debating whether to chase around updating the mask-flag, vs picking up the v2 update...timing will drive the configuration vs convention play.

[peterwoodworth]

There's not really an ETA yet @mike-dodge-eq. I would expect it to arrive within a couple months, but no promises

[jmeekhof]

I'm seeing some odd behavior related to this.

Run aws-actions/[email protected]
  with:
    role-to-assume: arn:aws:iam::505480154940:role/ci_agent_role
    role-duration-seconds: 1200
    role-skip-session-tagging: true
    aws-access-key-id: ***
    aws-secret-access-key: ***
    aws-region: ***
    mask-aws-account-id: false
    audience: sts.amazonaws.com
  env:
    REGISTRY: 505480154940.dkr.ecr.***.amazonaws.com
(node:1632) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
1s
0s
0s
0s
Evaluate and set job outputs
Warning: Skip output 'registry' since it may contain secret.
Set output 'docker_username'
Set output 'docker_password'
Cleaning up orphan processes

Even though I've used the make-aws-account-id parameter, it's still being masked.

[peterwoodworth]

v3 does not mask the account id by default 🙂

[github-actions]

** Note **
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.