fix(logging): report only top exception message to avoid error truncation;

doebrowsk · doebrowsk · commit 4a9ca8f156f9 · 2025-06-09T16:20:39.000Z
remove logging of sensitive info;
diff --git a/aws-acm-orchestrator/Jobs/Inventory.cs b/aws-acm-orchestrator/Jobs/Inventory.cs
@@ -51,13 +51,11 @@ public Inventory(IPAMSecretResolver pam, ILogger<Inventory> logger)
         public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitInventoryUpdate submitInventoryUpdate)
         {
             Logger.MethodEntry();
-            Logger.LogTrace($"Deserializing Cert Store Properties: {jobConfiguration.CertificateStoreDetails.Properties}");
+
+            Logger.LogTrace("Deserializing Store Properties to AuthCustomFieldParameters object.");
             AuthCustomFieldParameters customFields = JsonConvert.DeserializeObject<AuthCustomFieldParameters>(jobConfiguration.CertificateStoreDetails.Properties,
                     new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate });
-            //
-            // TODO: Prevent logging of credentials, changes to custom fields in this release means logging this object (AND Properties above) logs credentials!!
-            //
-            Logger.LogTrace($"Populated ACMCustomFields: {JsonConvert.SerializeObject(customFields)}");
+            Logger.LogTrace("Deserialized Store Properties.");
 
             AuthenticationParameters authParams = new AuthenticationParameters
             {
@@ -67,9 +65,23 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
             };
 
             Logger.LogTrace("Resolving AWS Credentials object.");
-            AwsExtensionCredential providedCredentials = AuthUtilities.GetCredentials(authParams);
-
+            AwsExtensionCredential providedCredentials;
+            try
+            {
+                providedCredentials = AuthUtilities.GetCredentials(authParams);
+            }
+            catch (Exception ex)
+            {
+                Logger.LogError("An error occurred while trying to get AWS Credentials.");
+                return new JobResult
+                {
+                    Result = OrchestratorJobStatusJobResult.Failure,
+                    JobHistoryId = jobConfiguration.JobHistoryId,
+                    FailureMessage = ex.Message
+                };
+            }
             Logger.LogTrace("AWS Credentials resolved. Performing Inventory.");
+
             return PerformInventory(providedCredentials, jobConfiguration, submitInventoryUpdate);
         }
 
diff --git a/aws-acm-orchestrator/Jobs/Management.cs b/aws-acm-orchestrator/Jobs/Management.cs
@@ -63,13 +63,11 @@ public Management(IPAMSecretResolver pam, ILogger<Management> logger)
         public JobResult ProcessJob(ManagementJobConfiguration jobConfiguration)
         {
             Logger.MethodEntry();
-            Logger.LogTrace($"Deserializing Cert Store Properties: {jobConfiguration.CertificateStoreDetails.Properties}");
+
+            Logger.LogTrace("Deserializing Store Properties to AuthCustomFieldParameters object.");
             AuthCustomFieldParameters customFields = JsonConvert.DeserializeObject<AuthCustomFieldParameters>(jobConfiguration.CertificateStoreDetails.Properties,
                     new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate });
-            //
-            // TODO: Prevent logging of credentials, changes to custom fields in this release means logging this object (AND Properties above) logs credentials!!
-            //
-            Logger.LogTrace($"Populated ACMCustomFields: {JsonConvert.SerializeObject(customFields)}");
+            Logger.LogTrace("Deserialized Store Properties.");
 
             AuthenticationParameters authParams = new AuthenticationParameters
             {
@@ -79,7 +77,21 @@ public JobResult ProcessJob(ManagementJobConfiguration jobConfiguration)
             };
 
             Logger.LogTrace("Resolving AWS Credentials object.");
-            AwsExtensionCredential providedCredentials = AuthUtilities.GetCredentials(authParams);
+            AwsExtensionCredential providedCredentials;
+            try
+            {
+                providedCredentials = AuthUtilities.GetCredentials(authParams);
+            }
+            catch (Exception ex)
+            {
+                Logger.LogError("An error occurred while trying to get AWS Credentials.");
+                return new JobResult
+                {
+                    Result = OrchestratorJobStatusJobResult.Failure,
+                    JobHistoryId = jobConfiguration.JobHistoryId,
+                    FailureMessage = ex.Message
+                };
+            }
             Logger.LogTrace("AWS Credentials resolved.");
 
             // perform add or remove
