From 5c887d68cae631aeb95f07df0de4a3b3ec1c24cf Mon Sep 17 00:00:00 2001
From: Kausthubh J Rao <105716675+Exgene@users.noreply.github.com>
Date: Thu, 14 May 2026 18:16:20 +0530
Subject: [PATCH] feat(api): encrypt AWS creds (#37679)

## Description

As mentioned in #37654 `AWSSecretAccessKey` are not encrypted and stored as is.

## Update

Follow the existing `AuthToken` flow of setting the `Encrypted` fields,
`Decrypting` them later and `Clearing` them at the end.

Closes #37654

---------

Signed-off-by: Kausthubh J Rao <105716675+Exgene@users.noreply.github.com>
Co-authored-by: Lauris B <lauris@nix.lv>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
---
 models/admin/task.go         | 7 +++++++
 modules/migration/options.go | 4 +++-
 services/task/task.go        | 5 +++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/models/admin/task.go b/models/admin/task.go
index 5d2b9bbff6f..7056a8359ec 100644
--- a/models/admin/task.go
+++ b/models/admin/task.go
@@ -137,6 +137,11 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
 				log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err)
 			}
 		}
+		if opts.AWSSecretAccessKeyEncrypted != "" {
+			if opts.AWSSecretAccessKey, err = secret.DecryptSecret(setting.SecretKey, opts.AWSSecretAccessKeyEncrypted); err != nil {
+				log.Error("Unable to decrypt AWSSecretAccessKey, maybe SECRET_KEY is wrong: %v", err)
+			}
+		}
 
 		return &opts, nil
 	}
@@ -201,6 +206,8 @@ func FinishMigrateTask(ctx context.Context, task *Task) error {
 	conf.AuthPasswordEncrypted = ""
 	conf.AuthTokenEncrypted = ""
 	conf.CloneAddrEncrypted = ""
+	conf.AWSSecretAccessKey = ""
+	conf.AWSSecretAccessKeyEncrypted = ""
 	confBytes, err := json.Marshal(conf)
 	if err != nil {
 		return err
diff --git a/modules/migration/options.go b/modules/migration/options.go
index 163aa0cfaaa..0f73c55ac4e 100644
--- a/modules/migration/options.go
+++ b/modules/migration/options.go
@@ -40,5 +40,7 @@ type MigrateOptions struct {
 	MirrorInterval  string `json:"mirror_interval"`
 
 	AWSAccessKeyID     string
-	AWSSecretAccessKey string
+	AWSSecretAccessKey string `json:",omitempty"`
+
+	AWSSecretAccessKeyEncrypted string `json:"aws_secret_access_key_encrypted,omitempty"`
 }
diff --git a/services/task/task.go b/services/task/task.go
index 86cf6a041fd..25eccd1077b 100644
--- a/services/task/task.go
+++ b/services/task/task.go
@@ -85,6 +85,11 @@ func CreateMigrateTask(ctx context.Context, doer, u *user_model.User, opts base.
 		return nil, err
 	}
 	opts.AuthToken = ""
+	opts.AWSSecretAccessKeyEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AWSSecretAccessKey)
+	if err != nil {
+		return nil, err
+	}
+	opts.AWSSecretAccessKey = ""
 	bs, err := json.Marshal(&opts)
 	if err != nil {
 		return nil, err