I almost pushed my s3 credentials to a public github repo for the third time in one day.<p>So, I got curious. Are there people out there who forget cover their tracks?<p>A quick search shows quite a few 'open' buckets out there. What's the best way to warn these folks? What other credentials are lurking out there?<p>Here's the search:
http://github.com/search?langOverride=&language=&q=S3+Base.establish_connection&repo=&start_value=1&type=Code&x=0&y=0<p>And the first open bucket I found:
http://github.com/prakashraman/jammmin/blob/a668672c69fafdb8317fec4fb19b7abb0b318e1a/app/scripts/s3_connect.rb
In case anyone else made this mistake, Github's help section has an article describing the steps needed to remove sensitive data from a git repo:<p><a href="http://help.github.com/removing-sensitive-data/" rel="nofollow">http://help.github.com/removing-sensitive-data/</a>
It's something that almost happened to me too. A git repository for a project that at first, in the prototype-stage, had credentials hard-coded, but inevitably moved on to be config-file-driven.<p>I concocted the following command to change all mentions of a specific word to another word, in a git repository:<p><pre><code> git filter-branch --tree-filter "find . -type f -exec sed -i -e 's/originalpassword/newpassword/g' {} \;"
</code></pre>
Use this to check if there are any mentions of some word, e.g. your password, in the repository:<p><pre><code> git filter-branch --tree-filter "grep -r originalpassword * || true"</code></pre>
My God, I can't believe I left it there. While I was developing a while ago I had put it there and completely forgot to remove it. What a costly mistake this could've been or even is.<p>Thank you, kabuks, so much for noticing this. I have changed my S3 key pair and am getting to cleaning up my git commits.<p>My God ! But thanks so much.
What I have done to prevent that is to use the OS's environment variables:<p><a href="http://github.com/roder/riakaws/blob/master/clouds.rb#L10" rel="nofollow">http://github.com/roder/riakaws/blob/master/clouds.rb#L10</a>
There is a "message" button on each github user page.<p>I just sent this to a few people (including someone who had forked one of my projects and added their S3 keys to a config file):<p>Noticed you have your Amazon S3 keys out in the open on github. You might want to remove those config files from your repository as described in the thread here:<p><a href="http://news.ycombinator.com/item?id=1574211" rel="nofollow">http://news.ycombinator.com/item?id=1574211</a><p>-Pete
Might be worth setting up a git hook to scan your commits for sensitive data.<p>Of course you'll need to include that sensitive data in the script, though the first few characters of AWS credentials should be unique enough.<p>I thought about setting up something similar for networking. If a packet contains my password in cleartext then pop up a warning allowing/denying (denying would have to force the connect to close, I guess). Might be too much overhead though.
Rather than store passwords or sensitive config data in a file I'll usually try to store them in an environment variable. Heroku has a little guide on this: <a href="http://docs.heroku.com/config-vars" rel="nofollow">http://docs.heroku.com/config-vars</a>
There is a business opportunity here. Managing credentials and secrets is (passwords, private certs, etc) is hard. Making that process turnkey, secure and easy would be useful.
A more precise search
<a href="http://github.com/search?langOverride=&language=yaml&q=access_key_id+!ENV+!Panda&repo=&start_value=2&type=Code&x=16&y=20" rel="nofollow">http://github.com/search?langOverride=&language=yaml&...</a>
Yeah, this is a typical mistake, I've pushed Django's secret keys and even twitter credentials.<p>PS: I do it all the time on my private repos but I try to not do it on the public ones.