aws-secretsmanager-get-secrets icon indicating copy to clipboard operation
aws-secretsmanager-get-secrets copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Environment variables vs outputs

Open Danny-Smart opened this issue 2 years ago • 5 comments

Hi

In the readme, you mention that environment variables are available to all steps within a job and that we should work to prevent them from being exploited or misused by malicious actions.

Would this issue be negated if the get-secrets action wrote the secrets as outputs rather than environment variables? The secrets wouldn't be automatically available to other steps, but could be passed into them explicitly as required, by the job itself.

From a security point of view, this feels to me like the more secure option; is there another advantage that environment variables have over outputs that would prevent this from being done?

Danny-Smart avatar Jan 16 '23 17:01 Danny-Smart

Thanks for the feedback, we'll note this as an enhancement request.

jbct avatar Feb 02 '23 20:02 jbct

PR #36 or #37 implements this (they are equivalent, one contains the compiled files in dist and one doesn't)

Olfi01 avatar May 12 '23 12:05 Olfi01

I really need this feature. For using a composite action, it would be nice if we can use outputs instead.

When this action is called twice, it causes the following error:

Error: The environment name 'KEY' is already in use. Please use an alias to ensure that each secret has a unique environment name.

int128 avatar Feb 19 '24 01:02 int128