Security researchers warn that certain commands executed in the AWS and Google Cloud command-line interfaces (CLIs) will return credentials and other secrets stored in environment variables as part of the standard output. If such commands are executed as part of build workflows in CI/CD tools the secrets will be included in the returned build logs.
AWS and Google Cloud consider this expected behavior and it is up to users to take steps to ensure sensitive command outputs are not saved in logs or that sensitive credentials are stored securely and not in environment variables. The Microsoft Azure CLI had a similar behavior but Microsoft flagged it as an information disclosure vulnerability and fixed it back in November.
