Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue: AWS secrets keys revealed in migration files #1393

Closed
ashwanthbalakrishnan5 opened this issue May 4, 2024 · 4 comments
Closed

Security Issue: AWS secrets keys revealed in migration files #1393

ashwanthbalakrishnan5 opened this issue May 4, 2024 · 4 comments

Comments

@ashwanthbalakrishnan5
Copy link

settings.py :

STORAGES = {
    "default": {
        "BACKEND": "storages.backends.s3.S3Storage",
        "OPTIONS": {
            "access_key": env("AWS_ACCESS_KEY_ID"),
            "secret_key": env("AWS_SECRET_ACCESS_KEY"),
            "bucket_name": env("AWS_STORAGE_BUCKET_NAME"),
            "region_name": "ap-south-1",
            "file_overwrite": False,
        },
    },
    "PublicMediaStorage": {
        "BACKEND": "storages.backends.s3.S3Storage",
        "OPTIONS": {
            "access_key": env("AWS_ACCESS_KEY_ID"),
            "secret_key": env("AWS_SECRET_ACCESS_KEY"),
            "bucket_name": env("AWS_STORAGE_BUCKET_NAME"),
            "region_name": "ap-south-1",
            "default_acl": "public-read",
            "location": "media/public",
            "querystring_auth": False,
            "file_overwrite": False,
        },
    },
    "staticfiles": {
        "BACKEND": "storages.backends.s3.S3Storage",
        "OPTIONS": {
            "access_key": env("AWS_ACCESS_KEY_ID"),
            "secret_key": env("AWS_SECRET_ACCESS_KEY"),
            "bucket_name": env("AWS_STORAGE_STATIC_BUCKET_NAME"),
            "region_name": "ap-south-1",
            "default_acl": "public-read",
            "location": "staticfiles",
            "querystring_auth": False,
        },
    },
}

Models.py

from django.db import models
from django.core.files.storage import storages

class DemoModel(models.Model):
    file = models.FileField(
        upload_to="demo/",
        storage=storages["PublicMediaStorage"],
    )

Migration file:
image

Is this the correct way of passing the storage to FileField ?
@laurentdufloux
Copy link

Where are you running this code? If you run in EC2, the credentials will be periodically obtained from instance metadata and are available to boto3, you don't need to provide them. If you run in Lambda, likewise they will be in the environment. There is an issue with the latest version where the session token is not fetched and things will break but #1399 fixes it and the previous version was fine as well.

@maxmorlocke
Copy link

If you intend to use the standard variable names of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, the s3 storage backend will automatically look up and resolve these variables (https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html). So, you can remove those at least from the configuration and still get a working result, and this will ensure they are not kept in the migration file.

@ashwanthbalakrishnan5
Copy link
Author

@laurentdufloux and @maxmorlocke thanks for the workaround.
But I feel this is still a security issue and needs fixing, So I'll keep the issue open.

Thanks Again !!!

@jschneier
Copy link
Owner

In general you should have separate configurations for your dev vs prod systems. Unfortunately this is how Django works with the migration system. Others have offered alternatives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jschneier @maxmorlocke @laurentdufloux @ashwanthbalakrishnan5