Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow unmasking of AWS_ACCESS_KEY_ID #1018

Closed
1 of 2 tasks
ktryniszewski-mdsol opened this issue Mar 4, 2024 · 1 comment
Closed
1 of 2 tasks

Allow unmasking of AWS_ACCESS_KEY_ID #1018

ktryniszewski-mdsol opened this issue Mar 4, 2024 · 1 comment
Assignees
@tim-finnigan
Labels
closed-for-staleness feature-request A feature should be added or improved.

Comments

@ktryniszewski-mdsol
Copy link

ktryniszewski-mdsol commented Mar 4, 2024
edited
Loading

Describe the feature

It would be beneficial to allow the caller to unmask the access key. I suppose this is similar request to the mask-aws-account-id feature.

This would allow users to pass outputs in github action jobs/steps that may include the access key. Example: It is included in signed urls.

From my understanding AWS_ACCESS_KEY_ID isn't sensitive information and is akin to a username?

Use Case

I've noticed that the action sets the credentials in env vars and the AWS_ACCESS_KEY_ID is set as a secret.

I run into issues afterwards when I generate a signed url and then try to pass that output from a job/step into another job.

Github then never passes the output because the signed url contains the AWS_ACCESS_KEY_ID in it with a warning

Skip output 'signedUrl' since it may contain secret.

I know a proposed workaround is probably to just generate the signed url in the job/step you will need to use it in.

However this is problematic, because if you are trying to use an action that just consumes the value as a parameter, you do not have that option.

Even if you write the signed url to a file, you would need a step before to cat it into a variable and then pass it to the next step (which again you'd run into the same issue)

Proposed Solution

mask-aws-access-key: 'false | true'

can be true by default

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@ktryniszewski-mdsol ktryniszewski-mdsol added feature-request A feature should be added or improved. needs-triage This issue still needs to be triaged labels Mar 4, 2024
@tim-finnigan tim-finnigan self-assigned this Mar 4, 2024
@tim-finnigan
Copy link
Contributor

Hi @ktryniszewski-mdsol thanks for reaching out. Per the IAM documentation:

Manage your access keys securely. Do not provide your access keys to unauthorized parties, even to help find your account identifiers. By doing this, you might give someone permanent access to your account.

So the recommendation is to store both the access key ID and secret access key in a secure location. But, similar to #494, you could hard code the access key in your action if you don't want it to be masked.

@tim-finnigan tim-finnigan added closing-soon This issue will automatically close in 2 days unless further comments are made. and removed needs-triage This issue still needs to be triaged labels Mar 4, 2024
@github-actions github-actions bot added closed-for-staleness and removed closing-soon This issue will automatically close in 2 days unless further comments are made. labels Mar 7, 2024
@github-actions github-actions bot closed this as completed Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tim-finnigan tim-finnigan

Labels
closed-for-staleness feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ktryniszewski-mdsol @tim-finnigan