From 90c15d73e8fd5156327c12c71c4851e3b78c3617 Mon Sep 17 00:00:00 2001
From: Iulian Mandache <25257851+iul1an@users.noreply.github.com>
Date: Sun, 8 Sep 2024 02:02:43 +0300
Subject: [PATCH] Do not expose the AWS role external id in the logs

---
 pkg/apis/externaldns/types.go | 2 +-
 provider/aws/config.go        | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
index 02b59a422..021bed14f 100644
--- a/pkg/apis/externaldns/types.go
+++ b/pkg/apis/externaldns/types.go
@@ -86,7 +86,7 @@ type Config struct {
 	AWSZoneTagFilter                   []string
 	AWSAssumeRole                      string
 	AWSProfiles                        []string
-	AWSAssumeRoleExternalID            string
+	AWSAssumeRoleExternalID            string `secure:"yes"`
 	AWSBatchChangeSize                 int
 	AWSBatchChangeSizeBytes            int
 	AWSBatchChangeSizeValues           int
diff --git a/provider/aws/config.go b/provider/aws/config.go
index bbfca9e97..5908150e7 100644
--- a/provider/aws/config.go
+++ b/provider/aws/config.go
@@ -102,7 +102,8 @@ func newV2Config(awsConfig AWSSessionConfig) (awsv2.Config, error) {
 		stsSvc := sts.NewFromConfig(cfg)
 		var assumeRoleOpts []func(*stscredsv2.AssumeRoleOptions)
 		if awsConfig.AssumeRoleExternalID != "" {
-			logrus.Infof("Assuming role: %s with external id %s", awsConfig.AssumeRole, awsConfig.AssumeRoleExternalID)
+			logrus.Infof("Assuming role %s with external id", awsConfig.AssumeRole)
+			logrus.Debugf("External id: %s", awsConfig.AssumeRoleExternalID)
 			assumeRoleOpts = []func(*stscredsv2.AssumeRoleOptions){
 				func(opts *stscredsv2.AssumeRoleOptions) {
 					opts.ExternalID = &awsConfig.AssumeRoleExternalID