OpenShift Must-Gather appears to be inadvertently gathering sensitive AWS credentials, specifically the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.These credentials are typically stored as environment variables, within configuration files (e.g., ~/.aws/credentials, /etc/kubernetes/cloud/aws.conf), or as Kubernetes secrets, and are used by various OpenShift components and deployed applications to interact with AWS services.

    Always

    1. Configure an OpenShift cluster with integration to AWS (e.g., using AWS EBS for persistent volumes, or deploying applications that utilize AWS SDKs).

    2. Ensure that AWS credentials (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) are present in the environment (e.g., as environment variables in pods, or within relevant configuration files/secrets).

    3. Execute the oc adm must-gather command to initiate a collection.

    4. Extract the generated must-gather bundle.

    5. Search within the extracted files for strings like AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY or their corresponding values.     

    The must-gather bundle contains cleartext AWS access key IDs and secret access keys.

    The OpenShift Must-Gather tool should redact, mask, or entirely exclude sensitive AWS credentials from the collected diagnostic bundle. Only non-sensitive configuration details or metadata should be included.