Mark tokens as sensitive in data sources (#416)

blink-so[bot] · matifali · web-flow · commit f239e51ecbaf · 2025-06-30T12:41:17.000+05:00
* Mark tokens as sensitive in data sources Mark the following attributes as sensitive to prevent them from being logged or displayed in Terraform output: - data.coder_workspace_owner.me.oidc_access_token - data.coder_workspace_owner.me.session_token - data.coder_external_auth.example.access_token This follows the same pattern as ssh_private_key and agent token which are already marked as sensitive. Fixes #266 Co-authored-by: matifali <10648092+matifali@users.noreply.github.com> * Update documentation for sensitive token attributes Regenerate documentation to reflect that oidc_access_token, session_token, and access_token are now marked as sensitive in the schema. Co-authored-by: matifali <10648092+matifali@users.noreply.github.com> --------- Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com> Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md
@@ -39,4 +39,4 @@ data "coder_external_auth" "azure-identity" {
 
 ### Read-Only
 
-- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
+- `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
@@ -52,9 +52,9 @@ resource "coder_env" "git_author_email" {
 - `id` (String) The UUID of the workspace owner.
 - `login_type` (String) The type of login the user has.
 - `name` (String) The username of the user.
-- `oidc_access_token` (String) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
+- `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
-- `session_token` (String) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
+- `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
 - `ssh_public_key` (String) The user's generated SSH public key.
 
diff --git a/provider/externalauth.go b/provider/externalauth.go
@@ -37,6 +37,7 @@ func externalAuthDataSource() *schema.Resource {
 				Type:        schema.TypeString,
 				Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
 				Computed:    true,
+				Sensitive:   true,
 			},
 			"optional": {
 				Type:        schema.TypeBool,
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
@@ -113,13 +113,15 @@ func workspaceOwnerDataSource() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.",
+				Sensitive:   true,
 			},
 			"oidc_access_token": {
 				Type:     schema.TypeString,
 				Computed: true,
 				Description: "A valid OpenID Connect access token of the workspace owner. " +
 					"This is only available if the workspace owner authenticated with OpenID Connect. " +
 					"If a valid token cannot be obtained, this value will be an empty string.",
+				Sensitive: true,
 			},
 			"login_type": {
 				Type:        schema.TypeString,

Original file line number	Diff line number	Diff line change
`@@ -39,4 +39,4 @@ data "coder_external_auth" "azure-identity" {`
`39`	`39`
`40`	`40`	`### Read-Only`
`41`	`41`
`42`		-- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
	`42`	+- `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.