Private AWS credentials being shared with Serverless.com?

jheising · January 6, 2021, 12:26am

I’ve been having trouble with a deployment with a serverless-component, so I’ve been trying to debug it. Stepping through the code, I actually thought I’d be able to step into the component itself and see what was going on.

But to my surprise I couldn’t actually debug it, because the component doesn’t actually exist on my computer… Apparently the serverless cli is sending a request to a server, and the request seems to include everything serverless needs to build and deploy the actual service— which includes my AWS credentials…

Is this a well-known thing? Is there a way to force serverless to build and deploy locally? This really caught me be surprise, and to be honest I’m not very happy about it. I’ve been a loyal user of serverless for years, but this really has me spooked and seems like a major security issue to me.

chris-hinds · October 11, 2021, 2:18pm

I might be totally wrong here but is this not expected behavior? when you run sls deploy for instance the serverless cli is making a connection to serverless and pulling the credentials it needs to deploy the cloud formation templates that it generated.

If you sign out of the serverless cli and run the same deploy command it will look for AWS credentials on your local machine.

Topic		Replies	Views
Does Serverless, Inc ever see my AWS credentials? Serverless Framework aws , security	6	2305	November 25, 2020
Error on 'serverless deploy.' using aws configuration. permission issue Serverless Framework aws	0	787	May 14, 2020
Serverless AWS-secrets Manger local development cannot retrieve secrets Serverless Framework aws	0	415	November 5, 2019
Can SLS component deploys use AWS profiles? Serverless Framework aws	7	4034	September 14, 2020
1.76.1 "serverless package" requires AWS credentials? Serverless Framework aws	1	377	July 27, 2020

Private AWS credentials being shared with Serverless.com?

Related topics