Private AWS credentials being shared with

I’ve been having trouble with a deployment with a serverless-component, so I’ve been trying to debug it. Stepping through the code, I actually thought I’d be able to step into the component itself and see what was going on.

But to my surprise I couldn’t actually debug it, because the component doesn’t actually exist on my computer… Apparently the serverless cli is sending a request to a server, and the request seems to include everything serverless needs to build and deploy the actual service— which includes my AWS credentials…

Is this a well-known thing? Is there a way to force serverless to build and deploy locally? This really caught me be surprise, and to be honest I’m not very happy about it. I’ve been a loyal user of serverless for years, but this really has me spooked and seems like a major security issue to me.

I might be totally wrong here but is this not expected behavior? when you run sls deploy for instance the serverless cli is making a connection to serverless and pulling the credentials it needs to deploy the cloud formation templates that it generated.

If you sign out of the serverless cli and run the same deploy command it will look for AWS credentials on your local machine.