search

mcmarkj / 1password-actions

Github Action for fetching secrets from 1Password (Via Connect)
MIT License
14 stars 5 forks source link

Random failures #2

Closed amontalban closed 8 months ago

amontalban commented 2 years ago

Hi @mcmarkj !

Thank you for writing this action, it is really helpful.

We are running the 1Password connector inside the workflow by doing this in a previous step:

docker run ${{ env.MOUNT_1PASSWORD_CREDENTIALS }} --name op-connect-api --publish 8080:8080 -d 1password/connect-api:latest
docker run ${{ env.MOUNT_1PASSWORD_CREDENTIALS }} --name op-connect-sync --publish 8081:8080 -d 1password/connect-sync:latest

And then using your action with:

    - "id": "get-sentry-auth-token"
      "name": "Retrieve Token from 1Password"
      "uses": "mcmarkj/1password-actions@v2"
      "with":
        "connect-server-token": "${{ secrets.ONEPASSWORD_CONNECT_SERVER_TOKEN }}"
        "connect-server-url": "http://localhost:8080"
        "export-env-vars": "true"
        "secret-path": |
          My Vault > My Secret > username | MY_VAR

It works most of the time, however in some cases it fails with this error:

Error: socket hang up
Error: Can't find vault.

How hard would it be to have some sort of retry? Unfortunately, we cannot use this action to retry https://github.com/nick-fields/retry like we do with other commands.

Thank you in advance!

mcmarkj commented 2 years ago

Hey @amontalban

Wow that's interesting, never seen that before.

Happy to add some retry functionality to the action. If you're comfortable doing it, feel free to open a PR. Otherwise I'll most likely pick this up next week.

Cheers Mark

amontalban commented 2 years ago

Hey @mcmarkj,

Thank you for your response, and sorry for my delay I was on vacation last week.

Unfortunately, my Typsecript knowledge is minimum so I don't know how to help on this, sorry.

But please let me know if I can help somehow.

Thanks!

amontalban commented 2 years ago

Hi @mcmarkj,

I think that the root cause is that when you start the 1password/connect-api container, it will not sync the account data until you authenticate with the token for the first time.

Unfortunately, we switched to https://github.com/1Password/load-secrets-action repository (which had another issue that I fixed in https://github.com/1Password/load-secrets-action/pull/10), but I added this as a prior step to make sure the API is in sync before trying to use it.

        until [ "$(curl -H "Authorization: Bearer ${{ env.OP_CONNECT_TOKEN }}" -sLo - http://localhost:8080/health | jq -r '.dependencies[] | select(.service=="account_data") | .status')" == "AVAILABLE" ]; do sleep 1; done

So maybe you can add a check for that before trying to access it's data.

Thank you!

mcmarkj commented 2 years ago

Hey @amontalban

That's really interesting, that sounds more like an issue with the implementation of the connect API than necessarily this Github Action having a bug etc.

I guess that curl you are running could be run before you use this action and that would have resolved your issue?

Regardless, I do think a retry option sounds like a nice bit of functionality, so think it's worth keeping this issue open and implementing it when I get a chance.

Hope you have success with the other action and thanks again for your feedback 😄

mcmarkj commented 8 months ago

I'm going to close this issue as I believe it's down to how you've implemented the connect API.