Add GCP's json-encoded service account private keys to default secret masking | Feature Requests

Add GCP's json-encoded service account private keys to default secret masking

David Shepherd

GCP service account keys are often encoded and passed around as json blobs (e.g. the gcloud CLI tool requires this format).
Unfortunately secret masking doesn't seem to apply to json blobs, so if the environment is logged somehow these private keys will be printed in full.
Here's an example of the format:
{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
More documentation here: https://cloud.google.com/iam/docs/keys-create-delete#iam-service-account-keys-create-console
Also the default-enabled secret masking is fantastic and handles this automatically for most of our secrets! Thank you for this feature!

4 days ago