Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

POSIX Warning on compliant secret #20

Closed
rvoitenko opened this issue Feb 18, 2021 · 5 comments
Closed

POSIX Warning on compliant secret #20

rvoitenko opened this issue Feb 18, 2021 · 5 comments

Comments

@rvoitenko
Copy link

rvoitenko commented Feb 18, 2021

Hello,

I always get warnings about secrets names not POSIX compliant.
To verify it I've created secret "TEST" with key "KEY" and value "VALUE", so it's json looks like:

{
  "KEY": "VALUE"
}

and the step looks like this:

    - name: Read secrets from AWS Secrets Manager into environment variables
      uses: abhilash1in/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: eu-west-1
        secrets: TEST
        parse-json: true

In debug mode I see the following:

##[debug]Secret name 'TEST.KEY' is not POSIX compliant. It will be transformed to 'TEST_KEY'.
##[debug]Injecting environment variable 'TEST_KEY'.
##[debug]Node Action run completed with exit code 0
##[debug]TEST_KEY='***'
##[debug]Finishing: Read secrets from AWS Secrets Manager into environment variables

Which means that 'TEST.KEY' is analyzed as secret name, but it not secret name. It's concatenated secret name + '.' + secret key.
Is this is a bug?

@abhilash1in
Copy link
Owner

abhilash1in commented Feb 19, 2021

This is not a bug.

You have parse-json set to true. In this case, if your AWS secret value is a valid JSON string, it will be parsed and all keys inside the JSON will be become individual secrets with their name in the format {Original AWS Secret Key}.{JSON Key} (it is standard practice to use a period . while flattening JSON objects). Due to this, the new secret name becomes TEST.KEY which is then transformed into TEST_KEY to make it compliant .

If you set parse-json to false, the secret name will remain TEST. Note that the secret value will be the raw AWS secret value (JSON string "{\n \"KEY\": \"VALUE\"\n}") in this case.

@rvoitenko
Copy link
Author

Thank you for explanation.
But that's mean that with "parse-json=true" you always get this warning.
Maybe change logic and make exception, when JSON flattening happen do analyze separately left part and right part of {Original AWS Secret Key}.{JSON Key} ?

@abhilash1in
Copy link
Owner

abhilash1in commented Feb 19, 2021

That makes sense. I'll look into it. Thank you for the suggestion! For now, you can safely ignore the warning.

I think using {Original AWS Secret Key}_{JSON Key} instead of {Original AWS Secret Key}.{JSON Key} will suppress the warning.

Feel free to submit a PR if you want to make the change yourself :)

@rvoitenko
Copy link
Author

Ok, thanks for suggestion. I can ignore warnings, but it's annoying, because when I have secret with 5 key/values inside I get 5 warnings :) even I need only one key.
I will try to submit PR after my local testing.

cbui added a commit to cbui/aws-secrets-manager-action that referenced this issue Jul 21, 2021
cbui added a commit to cbui/aws-secrets-manager-action that referenced this issue Jul 21, 2021
cbui added a commit to cbui/aws-secrets-manager-action that referenced this issue Jul 21, 2021
@emmanuelnk
Copy link

emmanuelnk commented Aug 20, 2021

Hi, I'm still getting this error even with the latest commit. I think this issue should be re-opened.

As you can see from the screenshot, I'm using the latest commit.

image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants