amazon-ecr-login icon indicating copy to clipboard operation
amazon-ecr-login copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Passing ECR credentials to another job doesn't work

Open 1david5 opened this issue 2 years ago • 7 comments

Describe the bug Using this action to output your Docker credentials for logging into ECR Private and then pass them to another job to run your private image as a service or container, doesn't work. (This use case is described on the action documentation on the Run an image as a service section)

The credentials never make it to the second job because Actions skips them throwing the warnings below resulting in empty repo, username, and password on the second job: Skip output 'registry' since it may contain secret. Skip output 'docker_username' since it may contain secret. Skip output 'docker_password' since it may contain secret.

To Reproduce Steps to reproduce the behavior:

  1. Configure two jobs as described on Run an image as a service.
  2. Run the action

Expected behavior Being able to output ECR credentials and run a job on a container pulled from a private ECR.

Screenshots image

Desktop (please complete the following information):

  • OS: ubuntu-latest

1david5 avatar Oct 18 '23 14:10 1david5

Could I see you workflow yml with all sensitive info redacted?

arjraman avatar Oct 18 '23 19:10 arjraman 

name: "Linter & Test"

on:
  workflow_dispatch:

  pull_request:
    branches:
      - master
      - development
    types:
      - opened
      - edited
      - reopened
      - synchronize

jobs:
  login-to-amazon-ecr:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    env:
      ENVIRONMENT: 'dev'
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        env:
          IAM_ROLE_ARN: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ env.ENVIRONMENT }}/${{ vars.NAMESPACE }}/${{ vars.SERVICE }}/${{ env.ENVIRONMENT }}-${{ vars.NAMESPACE }}-${{ vars.SERVICE }}-gh-action-role
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ env.IAM_ROLE_ARN }}
          mask-aws-account-id: 'false'

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          mask-password: 'false'

      - name: print
        run: |
          echo "registry: ${{ steps.login-ecr.outputs.registry }}"
          echo "docker_username: ${{ format('steps.login-ecr.outputs.docker_username_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}"
          echo "docker_password: ${{ format('steps.login-ecr.outputs.docker_password_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}"

    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}
      docker_username: ${{ format('steps.login-ecr.outputs.docker_username_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}
      docker_password: ${{ format('steps.login-ecr.outputs.docker_password_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}

  lint:
    name: Lint
    needs: login-to-amazon-ecr
    runs-on: ubuntu-latest
    container:
      image: "${{ needs.login-to-amazon-ecr.outputs.registry }}/image_name:development"
      credentials:
        username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
        password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Ruby and gems
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2.2
          bundler-cache: true
      - name: Lint Ruby files
        run: bundle exec rubocop --parallel

1david5 avatar Oct 18 '23 23:10 1david5

Ah I see. The way GitHub actions marks secrets in logs is by checking every substring in the logs to see if they match any of the secret values. In your case, this is secrets.AWS_ACCOUNT_ID. Since the output value of registry will match secrets.AWS_ACCOUNT_ID, and the output names provided to docker_username and docker_password contain a substring that matches secrets.AWS_ACCOUNT_ID, all those outputs will be redacted. It's the reason why the example has mask-aws-account-id: 'false' set for the aws-actions/configure-aws-credentials@v4 action.

Does your print step print anything?

arjraman avatar Oct 19 '23 18:10 arjraman

Ah, thank you for the insight on this @arjraman.

It prints the registry with the account ID and region redacted.

Do you know if there is any way to work around this without hard-coding the AWS account ID on the workflow?

1david5 avatar Oct 19 '23 18:10 1david5

Not sure, I haven't tried to do so. I gave a possible solution in #464. Other related discussions can be found in #495 and #496.

Here's a doc from GitHub talking about it: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-masking-and-passing-a-secret-between-jobs-or-workflows. But it doesn't give any concrete way of doing so.

arjraman avatar Oct 19 '23 19:10 arjraman

@1david5 can you define AWS Account ID in actions 'environment variables' (next to secrets in actions configuration) because AWS Account IDs aren't considered secret?

kevcube avatar Nov 17 '23 19:11 kevcube