Azure Dynamic Secret Issue

[LanceMcCarthy]

Hi Team,

First, love the work on expanding the functionality and pushing this out to the marketplace. Unfortunately, I have discovered an issue with this that is also present in my action... I am unable to get the values of the AAD dynamic secret.

Let me set you up properly.

Understanding the Azure AD Akeyless Response

This is what you get when using the Akeyless CLI when fetching an Azure AD dynamic secret.

{
  "id": "{\"secret_name\":\"tmp.p-m9vvgiii6rip.kj36S\",\"secret_key_id\":\"0c46516c-076e-4e69-bcf3-7c2fcac265a7\"}",
  "msg": "User  has been added successfully to the following Group(s): [] Role(s): [] Expires on Thu Aug 10 14:38:59 UTC 2023",
  "secret": {
    "appId": "207ff3fc-f6e3-4467e-babf-66b62e047be7",
    "displayName": "tmp.p-m9vvgiii6rip.kj36S",
    "keyId": "0c46516c-3456-4e69-bcf3-7c2fcac265a7",
    "secretText": "xrk8Q~qvnUbBHfXlCmaTdIakNyLc8xC.50gBqa0K",
    "tenantId": "bd47e796-1234-4b8a-9101-1f4c0c7af31a"
  },
  "ttl_in_minutes": "60"
}

Notice how the important values we need to use are inside the secret value:

Problem

In my Action, this never gets properly parsed by the SDK, and it also seems you might be experiencing the same problem. Here is what happens when I run this action and try to get the value for secret

Repro 1 - Using key: "secret" For Precision

You can reproduce this with the following YAML. Notice I am using key=secret to be able to ignore the rest of the top-level values.:

      - name: Fetch AKeyless Secret
        id: akeyless
        uses: akeyless-community/akeyless-github-action@v1.0.0
        with:
          access-id: 'p-XXXXXXXX'
          dynamic-secrets: |
            - name: "/path/to/my/azure-ad-dynamic-secret/"
              output-name: "aad"
              key: "secret"
          access-type: jwt

      - name: Verify Outputs
        run: |
          echo "appId: ${{ steps.akeyless.outputs.appId }}"
          echo "secretText: ${{ steps.akeyless.outputs.secretText }}"
          echo "tenantId: ${{ steps.akeyless.outputs.tenantId }}"
          echo "displayName: ${{ steps.akeyless.outputs.displayName }}"
          echo "keyId: ${{ steps.akeyless.outputs.keyId }}"

Repro 2 - Reading Entire Response

If you want to avoid the error, you can run it like this (with out declaring key: "secret"):

      - name: Fetch AKeyless Secret
        id: akeyless
        uses: akeyless-community/akeyless-github-action@v1.0.0
        with:
          access-id: 'p-XXXXXXXX'
          dynamic-secrets: |
            - name: "/path/to/my/azure-ad-dynamic-secret/"
              output-name: "aad"
          access-type: jwt

      - name: Verify Outputs
        run: |
          echo $aadSecret = '${{ steps.akeyless.outputs.aad }}' | jq '.secret'

          echo '$aadSecret' | jq '.appId'
          echo '$aadSecret' | jq '.secretText'
          echo '$aadSecret' | jq '.tenantId'
          echo '$aadSecret' | jq '.displayName'
          echo '$aadSecret' | jq '.keyId'

This will output the rest of the dynamic secret's values.. but not secret.appId, secret.tenantId, etc. In fact, it still breaks when trying to read the value of secret:

Resolution

Either of these two outcomes would be considered a resolution.

• An example that doesn't set the key, but is able to iterate over the sub-keys of secret
• An update to the action that lets me set key: "secret" and then be able access the values of appId, tenantId and secretText

[LanceMcCarthy]

After further investigation, I think I've found the reason why this is failing. The JSON data is using stringifies result in some key values but not with the secret's key's values. This is cuasing JSON parsers to fail.

Here is the output from the Action:

Since "[object, object]" cannot be deserialized because it is a string, not an object, thus there isn't a way to get the original values out of it.

[LanceMcCarthy]

Workaround

If anyone else is reading this and having the same issue, I was able to write up a workaround by using the Akeyless REST API (instead of relying on the JavaScript SDK this action uses).

Get it here https://github.com/marketplace/actions/akeyless-aad-dynamic-secret

It's very easy to use:

  - id: aad-secret
    uses: LanceMcCarthy/akeyless-aad-secret@v1
    with:
      akeyless-secret-path: '/path-to/aad-dynamic-secret'
      akeyless-access-id: 'p-123456'
      akeyless-access-key: '${{ secrets.AKEYLESS_ACCESS_KEY }}'

Here's the wonderful output!