google-github-actions / deploy-cloudrun

A GitHub Action for deploying services to Google Cloud Run.
https://cloud.google.com/run
Apache License 2.0
467 stars 115 forks source link

secrets with random: '***' is not a valid secret name #524

Closed hfhbd closed 5 months ago

hfhbd commented 6 months ago

TL;DR

--update-secrets ^05^keyID=***:latest05privateKey=***:latest => '***' is not a valid secret name.

Expected behavior

No response

Observed behavior

No response

Action YAML

name: CD

on:
  release:
    types: [ created ]
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch:

env:
  service_name: todo

concurrency:
  group: "cd"
  cancel-in-progress: false

jobs:
  googleRun:
    runs-on: ubuntu-latest
    permissions:
      id-token: write

    steps:
      - name: Get latest release
        id: setup-version
        uses: hfhbd/actions/setup-version@main
        with:
          token: ${{ github.token }}
      - uses: actions/checkout@v4
        with:
          ref: ${{ steps.setup-version.outputs.full-tag }}
      - id: auth
        uses: google-github-actions/auth@v2
        with:
          project_id: ${{ secrets.PROJECT_ID }}
          workload_identity_provider: projects/963273362268/locations/global/workloadIdentityPools/github-deployment/providers/github
          service_account: github-todo@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: ${{ env.service_name }}
          region: europe-west4
          image: europe-west4-docker.pkg.dev/${{ secrets.PROJECT_ID }}/composetodo-repo/${{ env.service_name }}:${{ steps.setup-version.outputs.version }}
          secrets: |
            keyID=${{ secrets.CK_KEYID }}:latest
            privateKey=${{ secrets.CK_KEY }}:latest

Log output

Run google-github-actions/deploy-cloudrun@v2
  with:
    service: todo
    region: europe-west4
    image: europe-west4-docker.pkg.dev/***/composetodo-repo/todo:0.0.41
    secrets: keyID=***:latest
  privateKey=***:latest

    skip_default_labels: false
    no_traffic: false
  env:
    service_name: todo
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ComposeTodo/ComposeTodo/gha-creds-33a45cdbcb2f435a.json
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ComposeTodo/ComposeTodo/gha-creds-33a45cdbcb2f435a.json
    GOOGLE_GHA_CREDS_PATH: /home/runner/work/ComposeTodo/ComposeTodo/gha-creds-33a45cdbcb2f435a.json
    CLOUDSDK_CORE_PROJECT: ***
    CLOUDSDK_PROJECT: ***
    GCLOUD_PROJECT: ***
    GCP_PROJECT: ***
    GOOGLE_CLOUD_PROJECT: ***
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/71b323e8-d3b0-40cc-9a62-5ce9234b7dca -f /home/runner/work/_temp/66d8a662-6068-461a-b4ac-0056398a651a
Successfully authenticated
Running: gcloud run deploy todo --image europe-west4-docker.pkg.dev/***/composetodo-repo/todo:0.0.41 --update-secrets ^05^keyID=***:latest05privateKey=***:latest --update-labels ^02^managed-by=github-actions02commit-sha=a8952870ead390b1b39073af77ec71f8e977cd3e --format json --region europe-west4
Error: google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy todo --image europe-west4-docker.pkg.dev/***/composetodo-repo/todo:0.0.41 --update-secrets ^05^keyID=***:latest05privateKey=***:latest --update-labels ^02^managed-by=github-actions02commit-sha=a8952870ead390b1b39073af77ec71f8e977cd3e --format json --region europe-west4`: ERROR: (gcloud.run.deploy) '***' is not a valid secret name.

Additional information

No response

sethvargo commented 6 months ago

What is the value of ${{ secrets.CK_KEY }}? It's usually better to store the references as variables instead of secrets, so they show in the log output.

hfhbd commented 6 months ago

What is the value of ${{ secrets.CK_KEY }}?

It is a base64 encoded X509 private key,

sethvargo commented 6 months ago

That's not how the secrets integration works. Secrets are stored in Google Secret Manager and then referenced by id (e.g. projects/my-project/secrets/my-secret).

hfhbd commented 6 months ago

Well, it did work in the past and you mention it in the guide too:

Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest.

BTW is there any action to write/update secrets from GitHub actions to keep the secrets in GitHub secrets store and not duplicate them in GCP too? There is https://github.com/google-github-actions/get-secretmanager-secrets to get a secret.

sethvargo commented 6 months ago

Sorry @hfhbd - we're talking about different things:

  1. To use the native Cloud Run secrets integration, the secrets must be stored in Google Secret Manager; you cannot pass a raw secret material. When launching the Cloud Run service, you specify the identifier of a secret in Secret Manager (e.g. projects/my-project/secrets/my-secret). You can omit the project if the secret is in the same project as the Cloud Run service. It has never been possible to pass the raw contents of a secret.

  2. GitHub secrets are not at all related to Secret Manager secrets. You should not have secrets in two places, because that creates secret sprawl. As far as I know, there's nothing to synchronize secrets between GitHub and Secret Manager, because that is not a good security practice and violates the principle of least privilege.

Is there a reason that these secrets need to be stored in GitHub at all?

melyux commented 5 months ago

Say I keep them in the Google Secret Manager. How can I have this GitHub Action use all of my secrets in the deployment? Because the secrets: field requires me to specify all the secrets, but if I keep my secrets in Google Secret Manager and I add a new secret, I now have to update my GitHub Actions workflow's secrets: field to include the new secret too.

sethvargo commented 5 months ago

Say I keep them in the Google Secret Manager. How can I have this GitHub Action use all of my secrets in the deployment?

You cannot - there is no option to automatically mount "all" secrets in Google Secret Manager into a Cloud Run service, and such an option would pose substantial security risk. This GitHub Action behaves the same as the gcloud CLI and the Cloud Run API, which require users to explicitly specify the secrets to mount into the container.

Because the secrets: field requires me to specify all the secrets, but if I keep my secrets in Google Secret Manager and I add a new secret, I now have to update my GitHub Actions workflow's secrets: field to include the new secret too.

You could build this yourself with a combination of gcloud secrets list and some string concatenation, but given the security risks of automatically mounting all secrets, this is not something we'd offer as a first-party option.