Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passing ECR credentials to another job doesn't work #546

Open
1david5 opened this issue Oct 18, 2023 · 7 comments
Open

Passing ECR credentials to another job doesn't work #546

1david5 opened this issue Oct 18, 2023 · 7 comments

Comments

@1david5
Copy link

1david5 commented Oct 18, 2023

Describe the bug
Using this action to output your Docker credentials for logging into ECR Private and then pass them to another job to run your private image as a service or container, doesn't work. (This use case is described on the action documentation on the Run an image as a service section)

The credentials never make it to the second job because Actions skips them throwing the warnings below resulting in empty repo, username, and password on the second job:
Skip output 'registry' since it may contain secret.
Skip output 'docker_username' since it may contain secret.
Skip output 'docker_password' since it may contain secret.

To Reproduce
Steps to reproduce the behavior:

  1. Configure two jobs as described on Run an image as a service.
  2. Run the action

Expected behavior
Being able to output ECR credentials and run a job on a container pulled from a private ECR.

Screenshots
image

Desktop (please complete the following information):

  • OS: ubuntu-latest
@1david5 1david5 changed the title Passing Docker credentials to another job doesn't work Passing ECR credentials to another job doesn't work Oct 18, 2023
@arjraman
Copy link
Contributor

Could I see you workflow yml with all sensitive info redacted?

@1david5
Copy link
Author

1david5 commented Oct 18, 2023

name: "Linter & Test"

on:
  workflow_dispatch:

  pull_request:
    branches:
      - master
      - development
    types:
      - opened
      - edited
      - reopened
      - synchronize

jobs:
  login-to-amazon-ecr:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    env:
      ENVIRONMENT: 'dev'
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        env:
          IAM_ROLE_ARN: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ env.ENVIRONMENT }}/${{ vars.NAMESPACE }}/${{ vars.SERVICE }}/${{ env.ENVIRONMENT }}-${{ vars.NAMESPACE }}-${{ vars.SERVICE }}-gh-action-role
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ env.IAM_ROLE_ARN }}
          mask-aws-account-id: 'false'

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          mask-password: 'false'

      - name: print
        run: |
          echo "registry: ${{ steps.login-ecr.outputs.registry }}"
          echo "docker_username: ${{ format('steps.login-ecr.outputs.docker_username_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}"
          echo "docker_password: ${{ format('steps.login-ecr.outputs.docker_password_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}"

    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}
      docker_username: ${{ format('steps.login-ecr.outputs.docker_username_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}
      docker_password: ${{ format('steps.login-ecr.outputs.docker_password_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}

  lint:
    name: Lint
    needs: login-to-amazon-ecr
    runs-on: ubuntu-latest
    container:
      image: "${{ needs.login-to-amazon-ecr.outputs.registry }}/image_name:development"
      credentials:
        username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
        password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Ruby and gems
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2.2
          bundler-cache: true
      - name: Lint Ruby files
        run: bundle exec rubocop --parallel

@arjraman
Copy link
Contributor

arjraman commented Oct 19, 2023

Ah I see. The way GitHub actions marks secrets in logs is by checking every substring in the logs to see if they match any of the secret values. In your case, this is secrets.AWS_ACCOUNT_ID. Since the output value of registry will match secrets.AWS_ACCOUNT_ID, and the output names provided to docker_username and docker_password contain a substring that matches secrets.AWS_ACCOUNT_ID, all those outputs will be redacted. It's the reason why the example has mask-aws-account-id: 'false' set for the aws-actions/configure-aws-credentials@v4 action.

Does your print step print anything?

@1david5
Copy link
Author

1david5 commented Oct 19, 2023

Ah, thank you for the insight on this @arjraman.

It prints the registry with the account ID and region redacted.

Do you know if there is any way to work around this without hard-coding the AWS account ID on the workflow?

@arjraman
Copy link
Contributor

arjraman commented Oct 19, 2023

Not sure, I haven't tried to do so. I gave a possible solution in #464. Other related discussions can be found in #495 and #496.

Here's a doc from GitHub talking about it: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-masking-and-passing-a-secret-between-jobs-or-workflows. But it doesn't give any concrete way of doing so.

@kevcube
Copy link

kevcube commented Nov 17, 2023

@1david5 can you define AWS Account ID in actions 'environment variables' (next to secrets in actions configuration) because AWS Account IDs aren't considered secret?

@stepanovdg
Copy link

@1david5 Check your variable secrets.AWS_REGION if its in format (us-east-1) or in expected format (us_east_1) For example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants