If an API Token is supplied as a secret to the script it is not recognized further in CI

[DanilKrymskyi]

Hello there!

Encountering an issue when providing a API Token via cli_config_credentials_token as a secret results in the following error:

- name: Set up Terraform
  uses: hashicorp/setup-terraform@v2
  with:
    terraform_version: 1.6.2
    cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

- name: Initialize Terraform
  run: terraform init

Error: Required token could not be found

Run the following command to generate a token for app.terraform.io:
terraform login

Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

DEBUG LOG:

## [debug] Evaluating condition for step: 'Set up Terraform'
[debug] Evaluating: success()
[debug] Evaluating success:
[debug] => true
[debug] Result: true
[debug] Starting: Set up Terraform
[debug] Loading inputs
[debug] Evaluating: secrets.TF_API_TOKEN
[debug] Evaluating Index:
[debug] ..Evaluating secrets:
[debug] ..=> Object
[debug] ..Evaluating String:
[debug] ..=> 'TF_API_TOKEN'
[debug] => null
[debug] Result: null
[debug] Loading env
Run hashicorp/setup-terraform@v2
  with:
    terraform_version: 1.6.2
    cli_config_credentials_hostname: app.terraform.io
    terraform_wrapper: true

Seems like the secret is null, but I set the same value as for a variable.

However, if the token is passed as a variable using vars., it works correctly and results in Terraform Cloud being successfully initialized!

- name: Set up Terraform
  uses: hashicorp/setup-terraform@v2
  with:
    terraform_version: 1.6.2
    cli_config_credentials_token: ${{ vars.TF_API_TOKEN }}

- name: Initialize Terraform
  run: terraform init

[bflad]

Hi @DanilKrymskyi 👋 Thank you for raising this and sorry you are running into trouble here.

To the best of my knowledge, the interpolation of secrets and variables in a GitHub Actions workflow configuration occurs within GitHub Actions before the value is sent to the action being called. It seems like you are already observing that behavior with debug logging from your issue description:

[debug] Evaluating: secrets.TF_API_TOKEN
[debug] Evaluating Index:
[debug] ..Evaluating secrets:
[debug] ..=> Object
[debug] ..Evaluating String:
[debug] ..=> 'TF_API_TOKEN'
[debug] => null

Another way you could try to verify the secret value is accessible by the workflow and being passed correctly is via a run step such as (GitHub will automatically mask the real value in actions logging):

- run: echo ${{ secrets.TF_API_TOKEN }}

There are a variety of settings that affect secret visibility in a workflow. You might find the GitHub documentation on secrets handy for this case: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions

Unfortunately beyond that, there is nothing that can be done in this action to resolve the workflow or secret issue in your setup, so I'm going to close this issue since we only use this issue tracker for bug reports or feature requests with the action itself. If you have continuing issues, I would suggest reaching out to GitHub actions support or HashiCorp Discuss where questions are more likely to be answered. Thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.