Hiding AWS Credentials in Test Tracing Outputs

Kashyap C. · 2025-02-10T21:40:07.253Z

I'm setting up some tracing on my tests but I'm passing in aws_credentials as a parameter to my testing function. I'd like if the actual values of my aws credentials to not be logged. Is there a way to hide them?

RunLLM
APP
·
Yes, you can hide sensitive information like AWS credentials in your tracing logs by using the TraceConfig class to configure masking rules. You can set the hide_inputs or hide_input_messages parameters to True to prevent input values or messages from being logged. This will ensure that sensitive data such as AWS credentials are not exposed in your logs.LBKSfrom openinference.instrumentation import TraceConfigLBKSconfig = TraceConfig( hide_inputs=True, # Hides all input values hide_input_messages=True # Hides all input messages )LBKSWould you like more detail?Sources: - OpenInference Instrumentation Config - Masking Span Attributes
💡 Hint: Mention RunLLM in the thread for followups.
Kashyap C.
·
I tried TraceConfig & hide_inputs, and it didn't work.
Anthony P.
·
Sorry to hear you are having issues with this. Can I have some more details, such as which instrumentation you are using and what version? In the meantime, have you tried hide_llm_invocation_parameters=True in your TraceConfig?
Samantha Z.
·
Kashyap C. I'm going to pick this up, unless you figured it out?
✅1
Samantha Z.
·
Anthony P. I am trying that parameter and it's having no effect.
Kashyap C.
·
Thanks Sam! I did try that as well.
Samantha Z.
·
Yeah I'm wondering if we can just mask a specific key, I need to look at how to do that
Kashyap C.
·
Some more context here, we're instrumenting a test, and test has these pytest fixtures. So really we want to just hide one of those fixtures.
Samantha Z.
·
Even without that though, we should be able to mask the credentials
Samantha Z.
·
But that's a good point, I wonder if it won't work because of how it's running through the fixture

Samantha Z.

It looks like we should be able to use something like what's in the example above, maybe:

    Examples:
        with suppress_tracing():
            # No tracing will occur within this block
            ...

Samantha Z.
·
that will work for the s3 client, not sure if we can use it anywhere else, though
Samantha Z.
·
sadly it looks like we might be better off doing manual instrumentation with specifically defined spans, and just exclude the ones we don't want
Samantha Z.
·
maybe we can modify our @tracer.chain decorator to handle this 🤔

Samantha Z.

To do it with opentelemetry you'd do something like this:

from opentelemetry.exporter.otlp import OTLPExporter

from opentelemetry.sdk.trace import TracerProvider

from opentelemetry.sdk.trace.export import BatchExportSpanProcessor



# Define a custom processor to redact sensitive attributes

class RedactionProcessor:

    def __init__(self, sensitive_attributes):

        self.sensitive_attributes = sensitive_attributes



    def process_span(self, span):

        for key in self.sensitive_attributes:

            if key in span.attributes:

                span.attributes[key] = "REDACTED"

        return span



# Configure the OpenTelemetry Collector

collector = OTLPExporter(endpoint="your-monitoring-endpoint")



# Create a tracer provider and add the custom processor

provider = TracerProvider()

processor = BatchExportSpanProcessor(collector, RedactionProcessor(["credit_card", "user_password"]))

provider.add_span_processor(processor)



# Use the tracer to create spans in your application code

tracer = provider.get_tracer("your-application-name")

Which doesn't look too bad

Hiding AWS Credentials in Test Tracing Outputs

41 comments

Hiding AWS Credentials in Test Tracing Outputs

41 comments