GoogleCloudPlatform / security-analytics

Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud
Apache License 2.0
326 stars 69 forks source link

URGENT: Github Actions failing to read SA_CREDENTIAL #42

Closed dalakija closed 1 year ago

dalakija commented 1 year ago

Hi Team,

Issue

When running the github actions workflow, it errors out at the pre-upload dry run phase.

When run locally the process works fine, our created rules are ingested into our chronicle rules editor, confirming we are using the correct Google API Key.

However, when we format our Google API key using the cat ~/malachite-abc-7ba40dd4f123.json | tr '\n' ' ' | sed -r 's/\"/\\"/g' (as instructed in https://github.com/GoogleCloudPlatform/security-analytics/blob/main/cicd/README.md) once we insert the resulting formatted key into the repository SA_CREDENTIAL the github action fails.

Screenshot(s)

Screenshot 2023-09-14 at 11 04 47

HELP

Please let us know where we have gone wrong or if there is a bug in the process that's blocking us from creating the CICD. We will continue working on our end to identify any mistakes we've made too.

rahulgk-mettle commented 1 year ago

Finally we had to pass the json into GH secret in a different way to get it worked. Instead of using the cred.json | tr '\n' ' ' | sed -r 's/\"/\\"/g' | method as mentioned in the readme, we used cred.json | base64 to generate the GH secret and used the below in the rules.py to decode into the json.

decodedBytes = base64.b64decode(service_account_info)
decodedStr = decodedBytes.decode("ascii") 
rarsan commented 1 year ago

Thanks for reporting! Also appreciate sharing the workaround. So we have removed the instruction around using tr and sed given potential cross-platform issues with these commands on different *nix distros. Closing this issue.