fix(use_aws): gate and redact ssm parameter and kms responses#520
Draft
yonib05 wants to merge 3 commits into
Draft
fix(use_aws): gate and redact ssm parameter and kms responses#520yonib05 wants to merge 3 commits into
yonib05 wants to merge 3 commits into
Conversation
Extend the existing sensitive-operation handling to cover AWS Systems Manager Parameter Store reads and KMS key operations, consistent with the consent gate and response redaction already applied to STS, Secrets Manager, and ECR. - Add ssm get_parameter / get_parameters / get_parameters_by_path and kms decrypt / generate_data_key / generate_data_key_pair to SENSITIVE_OPERATIONS so they prompt for consent. - Add "plaintext" and "privatekeyplaintext" to SENSITIVE_RESPONSE_KEYS to redact KMS plaintext output. - Add redact_ssm_parameter_values to scrub SSM Parameter.Value and Parameters[].Value, scoped to ssm responses so unrelated "Value" keys are not touched. - Add regression tests for the new gating and redaction.
Redaction of sensitive values is part of the consent gate. When BYPASS_TOOL_CONSENT=true, the operator has already disabled consent, so return values unredacted, consistent with how the bypass disables the confirmation prompt. With no env set, the default still prompts for consent and redacts values. Also add a regression test for kms.generate_data_key_pair so its PrivateKeyPlaintext is gated and redacted by default.
Member
Author
|
/strands-ts review |
Review — LGTM ✅Reviewed the changes locally. This is a focused, well-scoped extension of the #467 sensitive-operation handling. Verification
Strengths
Minor observations (non-blocking)
No blocking issues — approving. The follow-up note on an opt-in strict-consent env var is a reasonable future direction to keep out of this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Extends the sensitive-operation handling added in #467 to cover two AWS response shapes that currently return sensitive values to the model context without a consent prompt or redaction: SSM Parameter Store reads and KMS key operations.
This reuses the existing
SENSITIVE_OPERATIONSset,SENSITIVE_RESPONSE_KEYSset, andredact_sensitive_valuespipeline introduced in #467 rather than adding a parallel mechanism.Behavior change
ssmget_parameter/get_parameters/get_parameters_by_pathandkmsdecrypt/generate_data_key/generate_data_key_pairnow prompt for consent and redact their values by default.BYPASS_TOOL_CONSENT=trueto skip the consent prompt for these operations. Redaction of sensitive values in the response is independent of the prompt and always applies.Changes
SENSITIVE_OPERATIONS(consent gate):ssmget_parameter/get_parameters/get_parameters_by_path, andkmsdecrypt/generate_data_key/generate_data_key_pair."plaintext"and"privatekeyplaintext"toSENSITIVE_RESPONSE_KEYSso KMS plaintext output is redacted.redact_ssm_parameter_values, a narrowly scoped helper that redactsParameter.ValueandParameters[].Valueonly forssmresponses. SSM SecureString values are returned under a genericValuekey, which is too broad to add to the global key set without redacting unrelated fields, so this targets only the SSM response shapes.BYPASS_TOOL_CONSENTskips only the confirmation prompt, not redaction, so sensitive values never reach the model context.get_parameter/get_parametersvalue redaction, KMSdecryptplaintext redaction, KMSgenerate_data_key_pairprivate-key redaction, redacted values still returned underBYPASS_TOOL_CONSENT=true, and a non-ssm passthrough check.Testing
pytest tests/test_use_aws.py(60 passed)ruff format --checkandruff checkpass.Follow-up
Key-name based redaction is inherently incomplete for generically named fields. A possible follow-up is an opt-in
STRANDS_USE_AWS_STRICT_CONSENTenv var that prompts on everyuse_awscall, decoupling safety from the maintained allowlist. That is a larger behavior change and is left out of this PR. IAM least-privilege scoping remains the primary control, as documented in the module.