Skip to content

Redact CodeArtifact tokens from pip install logs#5851

Open
NguyenCong2k wants to merge 1 commit into
aws:masterfrom
NguyenCong2k:fix-codeartifact-token-log-redaction
Open

Redact CodeArtifact tokens from pip install logs#5851
NguyenCong2k wants to merge 1 commit into
aws:masterfrom
NguyenCong2k:fix-codeartifact-token-log-redaction

Conversation

@NguyenCong2k
Copy link
Copy Markdown

@NguyenCong2k NguyenCong2k commented May 13, 2026

Summary

  • redact credentials embedded in package index URLs before logging pip commands
  • keep the actual pip command unchanged
  • add regression coverage for CodeArtifact index URL redaction

Test

python -m pytest sagemaker-core/tests/unit/test_install_requirements.py -q

Copilot AI review requested due to automatic review settings May 13, 2026 17:14
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CodeArtifact-aware requirements installer to redact credentials from logged pip commands while preserving the actual command used for installation.

Changes:

  • Adds URL credential redaction for pip command logging.
  • Updates install_requirements logging to use the redacted command representation.
  • Adds regression coverage to ensure CodeArtifact tokens are not logged.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
sagemaker-core/src/sagemaker/core/utils/install_requirements.py Adds URL credential redaction and applies it to pip command logging.
sagemaker-core/tests/unit/test_install_requirements.py Adds log-capture coverage for CodeArtifact token redaction.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread sagemaker-core/src/sagemaker/core/utils/install_requirements.py Outdated
Comment on lines +127 to +129
if parts.username is not None:
username = quote(parts.username, safe="")
netloc = f"{username}:****@{host}"
Copy link
Copy Markdown
Author

@NguyenCong2k NguyenCong2k May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the redaction helper to redact the full URL userinfo instead of preserving the username. This now covers username-only token auth as well as username:password URLs.\n\nTest:\n\n\�ash\npython -m pytest sagemaker-core/tests/unit/test_install_requirements.py -q\n\n\nResult: 24 passed.

@NguyenCong2k NguyenCong2k force-pushed the fix-codeartifact-token-log-redaction branch from 02ac171 to 05fcce5 Compare May 14, 2026 01:03
@NguyenCong2k
Copy link
Copy Markdown
Author

NguyenCong2k commented May 14, 2026

Updated the redaction helper to redact the full URL userinfo instead of preserving the username. This now covers username-only token auth as well as username:password URLs.\n\nTest:\n\n\\�ash\npython -m pytest sagemaker-core/tests/unit/test_install_requirements.py -q\n\\n\nResult: 24 passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NguyenCong2k