Accessing secrets by index using an environment variable

Hi all!

At this moment I am creating a pipeline in which I would like to achieve the following:

  • Set an environment variable based on a certain condition

  • Use that environment variable to access a certain secret which I have defined (in this case PROD)

To make this more clear, I added a code snippet:

-name: Set env to production
if: endsWith(github.ref, '/master')
run: |
echo "::set-env name=ENVIRONMENT::PROD"

- run: echo ${{ secrets[$ENVIRONMENT] }}

So based on the set environment variable I would like to access: secrets.PROD

I used: https://help.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions as a reference. Any help or direction would be appreciated!

I’m not sure whether that is possible. I use something similar in one of my workflows (see here).

I believe environments variables are referenced in a different way that you’re doing since this is about environment variables between different steps. You should use “env.ENVIRONMENT” to reference an environment variable.

The following example should echo “PROD”

- name: Set env to production
  if: endsWith(github.ref, '/master')
  run: |
    echo "::set-env name=ENVIRONMENT::PROD"
- run: echo ${{ env.ENVIRONMENT }}

Note that you could use bash in a step to selectively get an environmnet variable (also see my workfow for bash in a “run” step.

Hope this helps any.

Hi @nilsdebruin,  

Accessing secrets by index using an environment variable is not supported.
As a workaround , you could add another step with if conditional for non-production . And you could use secrets.PROD directly when set a step environment variable. 

name: get secrets variable name from another env
on: push
jobs:
  get-secret:
    runs-on: ubuntu-latest
    steps:
    - name: Set env to production
      if: endsWith(github.ref, '/master')
      run: echo $environment
      env:
        environment: ${{secrets.PROD}}
    - name: Set env to non production
      if: "!endsWith(github.ref, '/master')"
      run: echo $environment
      env:
        environment: ${{secrets.TEST}}
1 Like

Hi all,

Thanks for the replies! I have now come up with the following solution (which works, but does not feel dry):

- name: Set env to staging
  if: endsWith(github.ref, '/develop')
  run: |
    echo "::set-env name=ENVIRONMENT::develop"
    echo "::set-env name=ENV_FILE::env.develop"
    echo "::set-env name=AWS_ACCESS_KEY_ID::${{ secrets.DEVELOP_AWS_ACCESS_KEY_ID }}"
    echo "::set-env name=AWS_SECRET_ACCESS_KEY::${{ secrets.DEVELOP_AWS_SECRET_ACCESS_KEY }}"
- name: Set env to production
  if: endsWith(github.ref, '/master')
  run: |
    echo "::set-env name=ENVIRONMENT::prod"
    echo "::set-env name=ENV_FILE::env.prod"
    echo "::set-env name=AWS_ACCESS_KEY_ID::${{ secrets.PROD_AWS_ACCESS_KEY_ID }}"
    echo "::set-env name=AWS_SECRET_ACCESS_KEY::${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}"

- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v1
	with:
	  aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
	  aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}

This works for my use case, so thanks for your help and input!