search

google-github-actions / get-secretmanager-secrets

A GitHub Action for accessing secrets from Google Secret Manager and making them available as outputs.
https://cloud.google.com/secret-manager
Apache License 2.0
146 stars 33 forks source link

Secrets retrieval broken suddenly #303

Open royalnine opened 4 hours ago

royalnine commented 4 hours ago

TL;DR

Hi all - we started experiencing an issue in our CI that all of our workflows depending on secrets retrieval from GCP started to fail. These workflows have not been touched for many months and suddenly started failing today.

Expected behavior

secrets retrieved from GCP

Observed behavior

FIrstly, projects/<PROJECT-ID>/secrets/<SECRET-NAME> is what we used and it was failing with:

Error: google-github-actions/get-secretmanager-secrets failed with: failed to access secret "projects/ projects/locations/<PROJECT-ID>/secrets/secrets/versions/<SECRET-NAME>": getaddrinfo ENOTFOUND secretmanager.<PROJECT-ID>.rep.googleapis.com

Notice the space after first projects/ in the path and also duplication of projects/ and secrets/.

Then I tried to bypass this by using a short path for latest versioned secret like:

<PROJECT-ID>/<SECRET-NAME> and not it is failing with:

Error: google-github-actions/get-secretmanager-secrets failed with: failed to access secret "projects/ <PROJECT-ID>/secrets/<SECRET-NAME>/versions/latest": 
"error": {
    "code": 403,
    "message": "Permission denied on resource project  <PROJECT-ID>.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.Help",
        "links": [
          {
            "description": "Google developers console",
            "url": "https://console.developers.google.com"
          }
        ]
      },
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CONSUMER_INVALID",
        "domain": "googleapis.com",
        "metadata": {
          "service": "secretmanager.googleapis.com",
          "consumer": <>
        }
      }
    ]
  }
}

in this one, please notice the space after projects/.

Action YAML

...
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v2
        with:
          <AUTH INFO>

      - name: Retrieve secrets from GCP Secrets Manager
        id: get-secrets
        uses: google-github-actions/get-secretmanager-secrets@v2
        with:
          secrets: |
            NODE_API_KEY: <PROJECT-ID>/<SECRET-NAME>
            NODE_RPC_URL: <PROJECT-ID>/<SECRET-NAME>

      ...


### Log output

_No response_

### Additional information

_No response_
royalnine commented 3 hours ago

To whoever might be experiencing the same. What fixed this for me was to get rid of the space in:

NODE_API_KEY: <PROJECT-ID>/<SECRET-NAME>
NODE_RPC_URL: <PROJECT-ID>/<SECRET-NAME>

to become:

NODE_API_KEY:<PROJECT-ID>/<SECRET-NAME>
NODE_RPC_URL:<PROJECT-ID>/<SECRET-NAME>

it did use to work with a space but 🤷