GithubHelp home page GithubHelp logo

akeyless-github-action's People

Contributors

amirmao avatar diabawada avatar omriezra avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

lancemccarthy

akeyless-github-action's Issues

Azure Dynamic Secret Issue

Hi Team,

First, love the work on expanding the functionality and pushing this out to the marketplace. Unfortunately, I have discovered an issue with this that is also present in my action... I am unable to get the values of the AAD dynamic secret.

Let me set you up properly.

Understanding the Azure AD Akeyless Response

This is what you get when using the Akeyless CLI when fetching an Azure AD dynamic secret.

{
  "id": "{\"secret_name\":\"tmp.p-m9vvgiii6rip.kj36S\",\"secret_key_id\":\"0c46516c-076e-4e69-bcf3-7c2fcac265a7\"}",
  "msg": "User  has been added successfully to the following Group(s): [] Role(s): [] Expires on Thu Aug 10 14:38:59 UTC 2023",
  "secret": {
    "appId": "207ff3fc-f6e3-4467e-babf-66b62e047be7",
    "displayName": "tmp.p-m9vvgiii6rip.kj36S",
    "keyId": "0c46516c-3456-4e69-bcf3-7c2fcac265a7",
    "secretText": "xrk8Q~qvnUbBHfXlCmaTdIakNyLc8xC.50gBqa0K",
    "tenantId": "bd47e796-1234-4b8a-9101-1f4c0c7af31a"
  },
  "ttl_in_minutes": "60"
}

Notice how the important values we need to use are inside the secret value:

image

Problem

In my Action, this never gets properly parsed by the SDK, and it also seems you might be experiencing the same problem. Here is what happens when I run this action and try to get the value for secret

image

Repro 1 - Using key: "secret" For Precision

You can reproduce this with the following YAML. Notice I am using key=secret to be able to ignore the rest of the top-level values.:

      - name: Fetch AKeyless Secret
        id: akeyless
        uses: akeyless-community/[email protected]
        with:
          access-id: 'p-XXXXXXXX'
          dynamic-secrets: |
            - name: "/path/to/my/azure-ad-dynamic-secret/"
              output-name: "aad"
              key: "secret"
          access-type: jwt

      - name: Verify Outputs
        run: |
          echo "appId: ${{ steps.akeyless.outputs.appId }}"
          echo "secretText: ${{ steps.akeyless.outputs.secretText }}"
          echo "tenantId: ${{ steps.akeyless.outputs.tenantId }}"
          echo "displayName: ${{ steps.akeyless.outputs.displayName }}"
          echo "keyId: ${{ steps.akeyless.outputs.keyId }}"

Repro 2 - Reading Entire Response

If you want to avoid the error, you can run it like this (with out declaring key: "secret"):

      - name: Fetch AKeyless Secret
        id: akeyless
        uses: akeyless-community/[email protected]
        with:
          access-id: 'p-XXXXXXXX'
          dynamic-secrets: |
            - name: "/path/to/my/azure-ad-dynamic-secret/"
              output-name: "aad"
          access-type: jwt

      - name: Verify Outputs
        run: |
          echo $aadSecret = '${{ steps.akeyless.outputs.aad }}' | jq '.secret'

          echo '$aadSecret' | jq '.appId'
          echo '$aadSecret' | jq '.secretText'
          echo '$aadSecret' | jq '.tenantId'
          echo '$aadSecret' | jq '.displayName'
          echo '$aadSecret' | jq '.keyId'

This will output the rest of the dynamic secret's values.. but not secret.appId, secret.tenantId, etc. In fact, it still breaks when trying to read the value of secret:

image

Resolution

Either of these two outcomes would be considered a resolution.

  • An example that doesn't set the key, but is able to iterate over the sub-keys of secret
  • An update to the action that lets me set key: "secret" and then be able access the values of appId, tenantId and secretText

Fetching private key from static secret fails (line 2: ***: No such file or directory Error: Process completed with exit code 127.)

Hi there ,
I have been trying to extract a satic secret which was made of an RSA private key but my git pipeline can't seem to read it properly

Run echo ***
  echo ***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  *** | base64 -d >> rsa.pem      
  echo '***' | jq -r 'to_entries|map("JWT_\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_ENV          
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    MY_RSA: ***
    MYSQL_DYNAMIC_SECRET: ***
    token: ***
***
/home/runner/work/_temp/e58e94d7-f3f9-417c-a[2](https://github.com/brokedba/Akeyless_demo/actions/runs/9731884769/job/26856886071#step:5:2)2d-937e8b10a517.sh: line 2: ***: No such file or directory
Error: Process completed with exit code 12[7](https://github.com/brokedba/Akeyless_demo/actions/runs/9731884769/job/26856886071#step:5:7).
  • It's like GitHub runner is not showing the proper format of the content even with base64 -d command.
  • You can find the workflow here :
    and here is a little snipet of the secret fetch section:
        static-secrets: |
            - name: "/MyVault/DBs/OCI_RSA"
              output-name: "MY_RSA" 
          dynamic-secrets: |
            - name: "/MyVault/DBs/MySQLDynamicSecret"
              output-name: "MYSQL_DYNAMIC_SECRET"      
         # static-secrets: '{"/MyVault/DBs/OCI_RSA":"MY_RSA"}'   
         # dynamic-secrets:'{"/MyVault/DBs/MySQLDynamicSecret":"MYSQL_DYNAMIC_SECRET"}'
      
      - name: Create PEM File & Export Dynamic Secret to Environment
        run: |
          echo ${{ steps.fetch-secrets.outputs.MY_RSA }} | base64 -d >> rsa.pem      
          echo '${{ steps.fetch-secrets.outputs.MYSQL_DYNAMIC_SECRET }}' | jq -r 'to_entries|map("JWT_\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_ENV

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.