search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
15.5k stars 953 forks source link

Passing token to run command still tells me I must be logged in #2286

Open jrdn91 opened 2 months ago

jrdn91 commented 2 months ago

Describe the bug

I'm building a CI setup with Github actions and Docker deployed to AWS where I am having Github actions install infisical and generate a machine identity access token with the login command, pass that as a build arg to a Docker build command that then will push to ECS to be deployed on AWS.

The issue I am running into is I can verify that the token is being generated from the login command, but when I actually attempt to use it in the run command I continue to get the message in the ECS logs "You must be logged in to run this command. To login, run [infisical login]"

Here is what my CI setup looks like so far

...
- name: Install infisical-cli
  shell: bash
  run: curl -1sLf  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
- name: apt update and install infisical
  shell: bash
  run: |
    sudo apt-get update && sudo apt-get install -y infisical
- name: Generate Infisical Token
  id: infisical-token
  shell: bash
  run: echo "access-token=$(infisical login --method=universal-auth --client-id=${{ secrets.INFISICAL_CLIENT_ID }} --client-secret=${{ secrets.INFISICAL_CLIENT_SECRET }} --plain --silent)" >> $GITHUB_OUTPUT

- name: Build and push the tagged docker image to Amazon ECR
  env:
    ...
    INFISICAL_ACCESS_TOKEN: ${{ steps.infisical-token.outputs.access-token }}

  run: |
    docker build \
    -t $ECR_REGISTRY/$ECR_REPOSITORY_NAME:latest \
    --build-arg "INFISICAL_ACCESS_TOKEN=$INFISICAL_ACCESS_TOKEN" \
    -f apps/express-app/Dockerfile .

    # docker push $ECR_REGISTRY/$ECR_REPOSITORY_NAME:latest
...

In the Dockerfile I install infisical, set the incoming arg and attempt to use it's value in the run CMD

FROM node:18-alpine AS base

# sets up infisical for ENV syncing
RUN apk add --no-cache bash curl && curl -1sLf \
  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
  && apk add infisical

ENV YARN_VERSION=4.3.1

FROM base AS builder
# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
RUN apk update
RUN apk add --no-cache libc6-compat
RUN corepack enable && corepack prepare yarn@${YARN_VERSION}
# Set working directory
WORKDIR /app
RUN yarn global add turbo
COPY . .
RUN turbo prune express-app --docker

# Add lockfile and package.json's of isolated subworkspace
FROM base AS installer
RUN apk update
RUN apk add --no-cache libc6-compat
WORKDIR /app

# First install dependencies (as they change less often)
COPY .gitignore .gitignore
COPY --from=builder /app/out/json/ .
COPY --from=builder /app/out/yarn.lock ./yarn.lock
COPY ./.infisical.json ./.infisical.json
RUN yarn install

# Build the project and its dependencies
COPY --from=builder /app/out/full/ .
COPY turbo.json turbo.json

RUN yarn turbo build --filter=express-app

FROM base AS runner
WORKDIR /app

# Don't run production as root
RUN addgroup --system --gid 1001 expressjs
RUN adduser --system --uid 1001 expressjs
USER expressjs
COPY --from=installer /app .

# can be overridden with run environment variables
ENV INFISICAL_ENV=dev
ENV INFISICAL_PATH=/***
ARG INFISICAL_PROJECT_ID=***
ARG INFISICAL_ACCESS_TOKEN

CMD infisical run --projectId=${INFISICAL_PROJECT_ID} --env=${INFISICAL_ENV} --path=${INFISICAL_PATH} --token=${INFISICAL_ACCESS_TOKEN} -- node apps/express-app/dist/index.js

I'm giving the full Dockerfile here for the full context just in case there is potentially something I'm doing wrong in a different step that's maybe causing this issue.

To Reproduce

Steps to reproduce the behavior:

  1. Install Infisical into Github action
  2. Generate access token and pass it to Docker build command
  3. Install Infisical in Dockerfile and setup ARG
  4. Pass Infisical access token from ARG into CMD
  5. See error message related to needing to login

Expected behavior

I expect that when using the run command with the --token flag passed that I don't need to explicitly login with the login CLI command and that populating environment variables just work.

Screenshots

Atteched is the screenshot from the AWS logs for the ECS attempting to launch the new service. the "API base url" should show the value of an ENV called "API_URL" but instead is blank because the secrets are not being injected.

Screenshot 2024-08-13 at 12 53 09 PM

Platform you are having the issue on:

All of this is happening in the Dockerfile which is using a version of Node on Alpine for it's base image as seen in the Dockerfile pasted above.

Additional context

I've verified that the Machine identity I'm using has read access and is assigned to the specific project I'm trying to access. I've also double checked that the client id and client secret are the ones related to the given machine identity and that the project id is correct here.

Furthermore if I run the login command locally, manually passing in the client id and secret, and then attempting to do the infisical run command with the --token flag, it all works. So something appears to be missing here with the Dockerfile setup

akhilmhdh commented 2 months ago

@jrdn91 Can you check the cli is indeed getting the token?