From 5cf796eed22988b802a6b165860665520a45d545 Mon Sep 17 00:00:00 2001
From: dfgvaetyj3456356-hash
 <288537585+dfgvaetyj3456356-hash@users.noreply.github.com>
Date: Sun, 31 May 2026 11:33:51 -0500
Subject: [PATCH] Redact CodeArtifact auth token from command stderr

---
 awscli/customizations/codeartifact/login.py       |  5 ++++-
 .../codeartifact/test_adapter_login.py            | 15 +++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/awscli/customizations/codeartifact/login.py b/awscli/customizations/codeartifact/login.py
index 40a6bfc4d311..618e208bf8f0 100644
--- a/awscli/customizations/codeartifact/login.py
+++ b/awscli/customizations/codeartifact/login.py
@@ -41,9 +41,12 @@ class CommandFailedError(Exception):
     def __init__(self, called_process_error, auth_token):
         msg = str(called_process_error).replace(auth_token, '******')
         if called_process_error.stderr is not None:
+            stderr = called_process_error.stderr.decode(
+                get_stderr_encoding()
+            ).replace(auth_token, '******')
             msg +=(
                 f' Stderr from command:\n'
-                f'{called_process_error.stderr.decode(get_stderr_encoding())}'
+                f'{stderr}'
             )
         Exception.__init__(self, msg)
 
diff --git a/tests/unit/customizations/codeartifact/test_adapter_login.py b/tests/unit/customizations/codeartifact/test_adapter_login.py
index e0a66aea51af..cda1d76876bd 100644
--- a/tests/unit/customizations/codeartifact/test_adapter_login.py
+++ b/tests/unit/customizations/codeartifact/test_adapter_login.py
@@ -83,6 +83,21 @@ def test_run_commands_command_failed_redact_auth_token(self):
         ):
             self.test_subject._run_commands('tool', ['cmd'])
 
+    def test_run_commands_command_failed_redact_auth_token_from_stderr(self):
+        error_to_be_caught = subprocess.CalledProcessError(
+            returncode=1,
+            cmd=['cmd', 'with', 'auth-token', 'present'],
+            output=None,
+            stderr=b'Command error included auth-token.'
+        )
+        self.subprocess_utils.run.side_effect = error_to_be_caught
+        with self.assertRaises(CommandFailedError) as cm:
+            self.test_subject._run_commands('tool', ['cmd'])
+        error_message = str(cm.exception)
+        self.assertNotIn('auth-token', error_message)
+        self.assertIn('Stderr from command:\nCommand error included ******.',
+                      error_message)
+
     def test_run_commands_nonexistent_command(self):
         self.subprocess_utils.run.side_effect = OSError(
             errno.ENOENT, 'not found error'