Description of the feature request

Automatically mask secret or password values in extra data.

Problem statement

A best practice is to never log secrets or passwords. There are times when I have an object that might have one of these things in it. I'd like to be able to pass in the object without needing to pull out the secrets manually.

Summary of the feature

If turned on, any extra data passed into the logger would be looked at and secrets/passwords would be masked. Consider the following data.

{
  username: "my-username",
  password: "my-password"
}

The code would see a key that contains "password" (this could be a configurable regex with a default) and would replace it with something like "*****", resulting in the following extra data being logged.

{
  username: "mu-username",
  password: "*****"
}

No secrets in logs

Code examples

const logger = new Logger();

const objectWithASecret = {
  username: "my-username",
  password: "my-password"
};

logger.debug('Logging in', { objectWithASecret });  

Benefits for you and the wider AWS community

Safer logging.

Describe alternatives you've considered

Creating a function that does this for me. The downside to this is twofold. One, I have to include the function call everywhere, so if I forget it I risk writing something I shouldn't to the logs. Two, the devex is slightly worse because I have to do something like { extraData: cleanExtraData(extraData) } instead of just { extraData }

Additional context

Related issues, RFCs