Skip output 'AWS_ACCOUNT_ID' since it may contain secret

[jonathan-be21]

Hi everyone

we’re using multiple “::set-output” statements in order to pass vars between jobs.

previously everything worked perfectly, but since we’ve changed some Var’s values - we’re receiving the following warning:

the VAR isn’t holds any secret value so i have no problem with showing it up, but we can’t use github secret instead as we the value is dynamic.

how should we tell github to stop treating those values as a secret?

[weide-zhou]

Hi @jonathan-be21,

Glad to see you in Github Community Forum!

This is by designed. Once you change the secrets value and it becomes part of the var value, the warning will happen, it’s automatically by github action and cannot be avoided.

As the doc mentioned:

Job outputs are strings, and job outputs containing expressions are evaluated on the runner at the end of each job. Outputs containing secrets are redacted on the runner and not sent to GitHub Actions .

Thanks

[jonathan-be21]

Hi @weide-zhou,

i wasn’t talking about using a github secret. i’m using a simple env var that github actions thinks it’s a secret.

it’s not a secret value by any mean (it’s just a long number actually)

[weide-zhou]

Hi @jonathan-be21,

Thanks for your reply!

Sorry i’m a little confused, could you please provide a sample code for further investigation?

If your var value is a long number, for example: 123456789, and using a secret (value set as 456) other place in the workflow, the warning will happen. The job output cannot get the value.

I repro the error on my side:
My workflow file: https://github.com/weide-zhou/ticket13/actions/runs/176889434/workflow
Workflow run: https://github.com/weide-zhou/ticket13/runs/893614256?check_suite_focus=true#step:3:19

Thanks

[jonathan-be21]

@weide-zhou thank you for your help so far.

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      AWS_ACCOUNT_ID:      ${{ steps.retrieve_secrets.outputs.AWS_ACCOUNT_ID }}
      ECR_REPO_URI:        ${{ steps.retrieve_secrets.outputs.ECR }}        
steps:      
  - name: "Checkout current repo"
    uses: actions/checkout@v2

  - name: "Configure AWS credentials"
    uses: aws-actions/configure-aws-credentials@v1

  - name: "Retrieve Secrets"
    id: retrieve_secrets
    shell: bash        
    run: |
      # Get secrets
      aws secretsmanager get-secret-value --secret-id $SECRET > ENV_VARS.json
      echo "::set-output name=AWS_ACCOUNT_ID::$(cat ENV_VARS.json | jq -r '.AWS_ACCOUNT_ID')"
      echo "::set-output name=ECR::$(cat ENV_VARS.json | jq -r '.ECR')"

As you can see, I’ve never declared a secret but still receive the above error

[weide-zhou]

Hi @jonathan-be21,

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’? like below:
echo "::set-output name=AWS_ACCOUNT_ID::1212**3434

Is there any secrets in your workflow other places? And how you define $SECRET in the yaml?

Thanks

[jonathan-be21]

@weide-zhou no, the display shows only:
##[warning]Skip output ‘AWS_ACCOUNT_ID’ since it may contain secret

I’m working around it by setting an hardcoded github secret, but even if it was a real secret such as password (which isn’t the case), how else should i pass it between jobs?

I’m using multiple envs and secrets, this is the only env that fails with that error.

the $SECRET is a simple json:
{
“AWS_ACCOUNT_ID”:“1234”
}

[weide-zhou]

Hi @jonathan-be21,

I cannot reproduce the issue, please check my workflow: https://github.com/weide-zhou/ticket13/runs/902090365?check_suite_focus=true

If the output in step Retrieve Secrets doesn’t contain star *, which means it doesn’t contain the secrets. And the error will not happen.

Hence, could you please provide a sample repository for futher investigation?

Thanks

[fmb-chin]

@jonathan-be21 I got this issue, too.
But I found the root cause.

aws-actions/configure-aws-credentials@v1 will addMask for our aws accountid

image1410×476 40.3 KB

you can use mask-aws-account-id: 'no' to avoid the issue.

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1
        mask-aws-account-id: 'no'

[stephendarling]

Worked perfectly, thanks!

[ventz]

Thanks for sharing this! Wasted a lot of time trying to figure out why when passing a private AWS ECR string from one job to another, the output would not "make it over". What's worse, in the simple test cases it worked perfectly, due to configure-aws-credentials not being there. It turns out, the private ECRs contain the account #, and Github incorrectly filtered the string output as it was passed to another job. Posting this here in case it saves others some time in debugging this exact issue.

[MaNDiL555]

This fix the issue for aws-account-id but I'm facing the similar issue for other output
REPO_NAME: ${{ env.REPO_NAME }}
PROJECT_NAME: ${{ env.PROJECT_NAME }}

And I get
Warning: Skip output 'REPO_NAME' since it may contain secret.
Warning: Skip output 'PROJECT_NAME' since it may contain secret.

Skip output 'REPO_NAME' since it may contain secret.

And most frustrating thing is that I have few more apps , with also same code, same action version and this happens only for this app

[ChenXiyu]

Hi Folks, I got this problem too. And my output has nothing related to the AWS as well as any kind of secrets.

The result I got is: Warning: Skip output 'images' since it may contain secret. and I cannot access the value from downstream jobs.

Hi @weide-zhou, I saw you asked a question:

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’.

The answer in my case is YES.
The log looks like this:

echo "::set-output name=images::***/sub2conf:2349712309847"

And actually the value I set to the images is not a secret, the full value I gave is 94xychen/sub2conf:2349712309847

I guess this is because github detected it as secret by wrong, and I did not found any way to disable that functionality from both google and stackoverflow.

Am I missed something? Any hints you can provide?

For more informations:
Here is the example

---

[ChenXiyu]

Alright, I guess I found the issue.

The value 94xychen been detected as a secret and been masked is because that it is the exactly same value with one of my repo level secret.

That is my docker-hub username, I putted it into my repo level secrets along with the docker-hub token.

I cannot tell whether this is a good idea or not, I just thought this mechanism may exposure secrets.

Anyway, I have changed my implementation from utilizing github output to use artifacts action, that make more sense in my case.

[bob-bins]

fmb-chin:

configure-aws-credentials

Thank you so much for this. The mask-aws-account-id input is not documented in the current version of aws-actions/configure-aws-credentials so I spent hours trying to first figure out why my output kept reading as an empty string and then figure out how the heck to make this non-secret that github thinks is a secret to be passed as an output. Such a frustrating issue!

[orihomie]

Thanks for sharing! Have you worked around this somehow?

[ChenXiyu]

Yes, for me. Because the value that been masked is not really a secrete, So I just removed it from Github Secretes and putted it into repo directly.

[ckingbailey]

I’ve opened an issue on the configure-aws-credentials repo to request that this be documented

[RichardTMiles]

bob-bins:

aws-actions/configure-aws-credentials

This was also a solution for me, I’ve verified @bob-bins in that no documentation is found on the readme. I have posted this quickly as suggestion to another README.md pull request on the repo.

  <a href="https://github.com/aws-actions/configure-aws-credentials/pull/430" target="_blank" rel="noopener nofollow ugc">github.com/aws-actions/configure-aws-credentials</a>

Update README.md

<div class="branches">
  <code>aws-actions:master</code> ← <code>liwadman:master</code>
</div>

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2022-04-26" data-time="22:53:30" data-timezone="UTC">10:53PM - 26 Apr 22 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/liwadman" target="_blank" rel="noopener nofollow ugc">
      <img alt="liwadman" src="https://user-images.githubusercontent.com/9538357/181098990-3f759dc4-f1f2-45c6-85d2-5ae638abd383.png" class="onebox-avatar-inline" width="20" height="20">
      liwadman
    </a>
  </div>

  <div class="lines" title="1 commits changed 1 files with 2 additions and 1 deletions">
    <a href="https://github.com/aws-actions/configure-aws-credentials/pull/430/files" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+2</span>
      <span class="removed">-1</span>
    </a>
  </div>
</div>

Added explicit language that this action is not supported on github currently. … *Issue #, if available:*

N/A

Description of changes:

I added clarifying language that says that the tagging with web identity tokens is not currently supported with github actions currently, as to not require customers to discover this themselves.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Many pull requests are open, not sure how active BDFL is.