Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set AWS vars to empty string instead of error message #7

Closed
dogversioning opened this issue Feb 5, 2024 · 3 comments
Closed

Set AWS vars to empty string instead of error message #7

dogversioning opened this issue Feb 5, 2024 · 3 comments

Comments

@dogversioning
Copy link

Heya! Thanks for forking this, I've been eyeing the clock with some amount of trepidation on this one.

I'm comparing these two stanzas - from the original action:

  • name: Reset AWS Environment Variables
    shell: bash
    run: |
    echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
    echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
    echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

And from this action:

- name: Set AWS Environment Variables to fake values
  id: unset-env-vars
  if: inputs.only-profile
  shell: bash
  run: |
    echo "Setting dummy AWS Environment Variables"
    echo AWS_SECRET_ACCESS_KEY="No value here, please use the profile as \"aws --profile ${{ inputs.profile }} <command>\"" >> $GITHUB_ENV
    echo AWS_ACCESS_KEY_ID="No value here, please use the profile as \"aws --profile ${{ inputs.profile }} <command>\""     >> $GITHUB_ENV
    echo AWS_SESSION_TOKEN="No value here, please use the profile as \"aws --profile ${{ inputs.profile }} <command>\""     >> $GITHUB_ENV

I've been relying on the former implementation for two reason:

  • In our application, we assume our userbase will not be familiar with the AWS CLI, so we enter a fallback chain following the AWS precedence guide - since the environment variables hit next, they are getting picked up before other methods.
  • We're not providing the AWS credentials directly as inputs to the action - we're using Github's OpenIDConnect to handle auth for us. I could work around this, but I think this is a valid secure use case, so it might be better to handle it here.

I didn't want to open a PR for this without checking first, in case there's some use case that I'm missing - but I think the empty variable case is better if you set only-profile to True, since from the AWS tooling infrastructure perspective, that gets evaluated as unset enough to go further down the list in checking things and then picks up the current active session.
@Moulick
Copy link
Owner

Moulick commented Feb 16, 2024
edited
Loading

Sorry, somehow Github has not emailed me that you opened this issue.

The problem with echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV is that it does not work. Unbeknownst to me that you opened this issue, I added a section in the readme about this right now as I also ran into another issue. Please check that out once

@dogversioning
Copy link
Author

Got it - that looks promising, I'll try it out next week

@Moulick
Copy link
Owner

Moulick commented Feb 19, 2024

Closing as unfixable due to upstream limitations actions/runner#1126

@Moulick Moulick closed this as not planned Won't fix, can't repro, duplicate, stale Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dogversioning @Moulick