search

abhilash1in / aws-secrets-manager-action

Use secrets from AWS Secrets Manager as environment variables in your GitHub Actions workflow
MIT License
68 stars 43 forks source link

POSIX Warning on compliant secret #20

Closed rvoitenko closed 3 years ago

rvoitenko commented 3 years ago

Hello,

I always get warnings about secrets names not POSIX compliant. To verify it I've created secret "TEST" with key "KEY" and value "VALUE", so it's json looks like:

{
  "KEY": "VALUE"
}

and the step looks like this:

    - name: Read secrets from AWS Secrets Manager into environment variables
      uses: abhilash1in/aws-secrets-manager-action@v1.0.1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: eu-west-1
        secrets: TEST
        parse-json: true

In debug mode I see the following:

##[debug]Secret name 'TEST.KEY' is not POSIX compliant. It will be transformed to 'TEST_KEY'.
##[debug]Injecting environment variable 'TEST_KEY'.
##[debug]Node Action run completed with exit code 0
##[debug]TEST_KEY='***'
##[debug]Finishing: Read secrets from AWS Secrets Manager into environment variables

Which means that 'TEST.KEY' is analyzed as secret name, but it not secret name. It's concatenated secret name + '.' + secret key. Is this is a bug?

abhilash1in commented 3 years ago

This is not a bug.

You have parse-json set to true. In this case, if your AWS secret value is a valid JSON string, it will be parsed and all keys inside the JSON will be become individual secrets with their name in the format {Original AWS Secret Key}.{JSON Key} (it is standard practice to use a period . while flattening JSON objects). Due to this, the new secret name becomes TEST.KEY which is then transformed into TEST_KEY to make it compliant .

If you set parse-json to false, the secret name will remain TEST. Note that the secret value will be the raw AWS secret value (JSON string "{\n \"KEY\": \"VALUE\"\n}") in this case.

rvoitenko commented 3 years ago

Thank you for explanation. But that's mean that with "parse-json=true" you always get this warning. Maybe change logic and make exception, when JSON flattening happen do analyze separately left part and right part of {Original AWS Secret Key}.{JSON Key} ?

abhilash1in commented 3 years ago

That makes sense. I'll look into it. Thank you for the suggestion! For now, you can safely ignore the warning.

I think using {Original AWS Secret Key}_{JSON Key} instead of {Original AWS Secret Key}.{JSON Key} will suppress the warning.

Feel free to submit a PR if you want to make the change yourself :)

rvoitenko commented 3 years ago

Ok, thanks for suggestion. I can ignore warnings, but it's annoying, because when I have secret with 5 key/values inside I get 5 warnings :) even I need only one key. I will try to submit PR after my local testing.

emmanuelnk commented 3 years ago

Hi, I'm still getting this error even with the latest commit. I think this issue should be re-opened.

As you can see from the screenshot, I'm using the latest commit.

image image