0

In a service running on google cloud run, I have an endpoint that essentially accepts an access token in the query string and returns some user details of the user that is corresponding to that access token.

Something like BASE_URL/auth?access_token=abc123

The issue with this is that cloud run writes logs automatically that contains information about the request, including the full url including the query string. This then means that the access token gets written to the logs, which is not exactly what I want.

From what I gather from here: https://cloud.google.com/run/docs/logging#exclude-logs, it doesnt seem possible to turn off these logs except via some exclusion filter. What I'm trying to understand is, can I use this to actually filter the logs that cloud run writes to cloud logging? If so how would that sink look?

I'm also very open to any other alternative that would simply redact the sensitive information. In case it is of any relevance, the access token is a JWT (not issued by Google).

Fredrik Nilsson
  • 549
  • 4
  • 13
  • 1
    What's the life duration of the access_token? – guillaume blaquiere May 29 '23 at 14:54
  • @guillaumeblaquiere 24 hours – Fredrik Nilsson May 29 '23 at 14:56
  • 1
    It's not possible to redeac logs in Cloud Logging. However, you can exclude the logs from the default bucket and add them in a dedicated log bucket. From there, you can manage who can access to the logs. And because the access_token expire after 24h, the risk is pretty low. – guillaume blaquiere May 29 '23 at 15:04
  • how do I exclude them from the default bucket? – Fredrik Nilsson May 29 '23 at 15:27
  • 1
    Use log exclusion in Cloud Logging https://cloud.google.com/logging/docs/routing/overview#exclusions – guillaume blaquiere May 29 '23 at 18:17
  • You have a security issue. Do not include sensitive information in HTTP request URLs. Use an HTTP header. This answer here shows details on how to exclude logs. I have not confirmed the answer but it looks interesting: https://stackoverflow.com/a/76354772/8016720 – John Hanley May 29 '23 at 18:17
  • Will try out the exclusion, thanks. Why is this a security issue? Google does exactly this with https://www.googleapis.com/oauth2/v3/userinfo?access_token= – Fredrik Nilsson May 30 '23 at 08:30
  • Google search on this issue; there are articles that cover why. One common reason is that systems log HTTP request URLs. They wind up in log files, monitoring systems, analyzers, reports, etc. Putting sensitive information in a URL is considered a bad practice. https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url – John Hanley May 30 '23 at 16:47

1 Answers1

2

Compiling all information in the comments as a community wiki for everyone's visibility.

It is not possible to turn off these logs in Cloud Logging. What you can do is use log exclusion to exclude the logs from the default bucket and add them in a dedicated log bucket. After that, you can manage who can access the logs. You can also check the answer to this post as it shows details on how to exclude logs.

Another thing to check is that sensitive information in HTTP request URLs is a security issue. Putting sensitive information in a URL is considered bad practice.

Michael C
  • 308
  • 1
  • 6