amazon-ecr-login icon indicating copy to clipboard operation
amazon-ecr-login copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

[Question] Unable to mask docker password

Open shp7724 opened this issue 1 year ago • 1 comments

I'm currently using the aws-actions/amazon-ecr-login GitHub action to login into ECR, and then using the appleboy/ssh-action@master to SSH into a remote machine and run Docker compose.

During the process, I need to pass Docker username and password as environment variables to the remote machine. This exposes these values in the GitHub Actions logs. Here is the relevant code snippet:

- name: Handle secrets
  env:
    DOCKER_USERNAME: ${{ steps.login-ecr.outputs.docker_username_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
    DOCKER_PASSWORD: ${{ steps.login-ecr.outputs.docker_password_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
  run: |
    echo "::add-mask::$DOCKER_PASSWORD"
    echo "::add-mask::$DOCKER_USERNAME"

- name: SSH into Remote Server and Run Docker Compose
  uses: appleboy/ssh-action@master
  env:
    DOCKER_USERNAME: ${{ steps.login-ecr.outputs.docker_username_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
    DOCKER_PASSWORD: ${{ steps.login-ecr.outputs.docker_password_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
  with:
    host: ${{ secrets.REMOTE_HOST }}
    port: ${{ secrets.REMOTE_PORT }}
    username: ${{ secrets.REMOTE_USERNAME }}
    key: ${{ secrets.REMOTE_SSH_KEY }}
    passphrase: ${{ secrets.REMOTE_SSH_PASSPHRASE }}
    envs: DOCKER_USERNAME,DOCKER_PASSWORD
    script: |
      echo "::add-mask::$DOCKER_PASSWORD"
      echo "::add-mask::$DOCKER_USERNAME"
      echo $DOCKER_PASSWORD | docker login -u $DOCKER_USERNAME --password-stdin ${{ steps.login-ecr.outputs.registry }}
      docker-compose -f ~/docker-compose.yaml pull

Given #372, it's clear that it is not possible to mask these values from the user-side. I tried to add echo "::add-mask::" to the secrets, but they are still visible when the env section is parsed.

How could this issue be solved? I need to avoid exposing the Docker username and password in the GitHub Actions logs while still being able to pass them as environment variables to the remote machine. Are there any alternative ways to handle this securely?

shp7724 avatar Jul 01 '23 09:07 shp7724