From 367ebca1659e99ff1ae56159d3359ed52ad7792c Mon Sep 17 00:00:00 2001
From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com>
Date: Fri, 27 Jun 2025 14:14:35 +0000
Subject: [PATCH 1/2] Mark tokens as sensitive in data sources
Mark the following attributes as sensitive to prevent them from being
logged or displayed in Terraform output:
- data.coder_workspace_owner.me.oidc_access_token
- data.coder_workspace_owner.me.session_token
- data.coder_external_auth.example.access_token
This follows the same pattern as ssh_private_key and agent token
which are already marked as sensitive.
Fixes #266
Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
---
provider/externalauth.go | 1 +
provider/workspace_owner.go | 2 ++
2 files changed, 3 insertions(+)
diff --git a/provider/externalauth.go b/provider/externalauth.go
index 915a21a9..b278ecc1 100644
--- a/provider/externalauth.go
+++ b/provider/externalauth.go
@@ -37,6 +37,7 @@ func externalAuthDataSource() *schema.Resource {
Type: schema.TypeString,
Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
Computed: true,
+ Sensitive: true,
},
"optional": {
Type: schema.TypeBool,
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
index 078047ff..109b0b93 100644
--- a/provider/workspace_owner.go
+++ b/provider/workspace_owner.go
@@ -113,6 +113,7 @@ func workspaceOwnerDataSource() *schema.Resource {
Type: schema.TypeString,
Computed: true,
Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.",
+ Sensitive: true,
},
"oidc_access_token": {
Type: schema.TypeString,
@@ -120,6 +121,7 @@ func workspaceOwnerDataSource() *schema.Resource {
Description: "A valid OpenID Connect access token of the workspace owner. " +
"This is only available if the workspace owner authenticated with OpenID Connect. " +
"If a valid token cannot be obtained, this value will be an empty string.",
+ Sensitive: true,
},
"login_type": {
Type: schema.TypeString,
From 9066074a12a3c54b97026f053109642be08ea527 Mon Sep 17 00:00:00 2001
From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com>
Date: Fri, 27 Jun 2025 14:20:02 +0000
Subject: [PATCH 2/2] Update documentation for sensitive token attributes
Regenerate documentation to reflect that oidc_access_token, session_token,
and access_token are now marked as sensitive in the schema.
Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
---
docs/data-sources/external_auth.md | 2 +-
docs/data-sources/workspace_owner.md | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md
index e4089f24..d1e6d649 100644
--- a/docs/data-sources/external_auth.md
+++ b/docs/data-sources/external_auth.md
@@ -39,4 +39,4 @@ data "coder_external_auth" "azure-identity" {
### Read-Only
-- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
+- `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
index 2a912e1f..f16480ef 100644
--- a/docs/data-sources/workspace_owner.md
+++ b/docs/data-sources/workspace_owner.md
@@ -52,9 +52,9 @@ resource "coder_env" "git_author_email" {
- `id` (String) The UUID of the workspace owner.
- `login_type` (String) The type of login the user has.
- `name` (String) The username of the user.
-- `oidc_access_token` (String) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
+- `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
- `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
-- `session_token` (String) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
+- `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
- `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
- `ssh_public_key` (String) The user's generated SSH public key.
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy