[Bug]: security issue: step ca server logs contain signed AWS IID #2280
Description
Steps to Reproduce
- Add an AWS IID provisioner to step ca
- Configure step-ca as an registration authority to a vault CA (this is our config, but I don't think it is required to reproduce the issue)
- Using
step ca certificatecommand to send a request to create a key and certificate from an aws ec2 instance using the AWS IID provisioner.
Your Environment
- OS - Linux
step-caVersion - 0.28.0
Expected Behavior
The server side logs should not contain any secret, security tokens or any sensitive data.
Actual Behavior
The server side log contains something like {"certificate":"<cert_content>","duration":"1.601449404s","duration-ns":1601449404,"fields.time":"2025-05-20T06:00:03Z","issuer":"Dev Device CA","level":"info","method":"POST","msg":"","name":"ca","ott":"<ott_jwt>",...}
The <ott_jwt> is a jwt, when decoded, it contains an aws IID with signature. Which can be obtained and used to forge a cert request from none aws ec2 instances.
Additional Context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).