I have a GitHub Action where I am dynamically retrieving an AWS Access Key ID & Secret Access Key. I set those as outputs, and then pass those into my next step where I set them as environment variables, and call my action.
- name: Set Terraform Output to GitHub Actions Output
id: terraformOutput
run: |
echo ::set-output name=codeDeployAccessKeyID::$(cat terraformOutput.json | jq -r . codeDeployAccessKeyID.value)
echo ::set-output name=codeDeploySecretAccessKey::$(cat terraformOutput.json | jq -r .codeDeploySecretAccessKey.value | base64 --decode | gpg -d -q)
- name: CodeDeploy
env:
AWS_ACCESS_KEY_ID: ${{ steps.terraformOutput.outputs.codeDeployAccessKeyID }}
AWS_SECRET_ACCESS_KEY: ${{ steps.terraformOutput.outputs.codeDeploySecretAccessKey }}
run: aws-code-deploy
This works perfectly, however, when I look at the logs for my GitHub Action, I can see the AWS_SECRET_ACCESS_KEY environment variable in plain text.
This is not very secure at all.
In past projects when I was using GitHub Actions Secrets, these values would be redacted and replaced with ***. Again, that is not a solution here tho since the secrets can change, and I need to be able to dynamically pull them in the action.
Is there a way to redact these dynamic outputs and mark them as secure or sensitive somehow to allow them to be passed in as environment variables, but not have them shown in the GitHub Actions log?
You could mask it manually like
AWS_SECRET_ACCESS_KEY = "access-key"
echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
Or you could use the @actions/core package GitHub provides to mask the secret:
const core = require("@actions/core");
core.setSecret("access-key");