Skip output 'AWS_ACCOUNT_ID' since it may contain secret

Hi everyone

we’re using multiple “::set-output” statements in order to pass vars between jobs.

previously everything worked perfectly, but since we’ve changed some Var’s values - we’re receiving the following warning:
image

the VAR isn’t holds any secret value so i have no problem with showing it up, but we can’t use github secret instead as we the value is dynamic.

how should we tell github to stop treating those values as a secret?

Hi @jonathan-be21,

Glad to see you in Github Community Forum!

This is by designed. Once you change the secrets value and it becomes part of the var value, the warning will happen, it’s automatically by github action and cannot be avoided.

As the doc mentioned:

Job outputs are strings, and job outputs containing expressions are evaluated on the runner at the end of each job. Outputs containing secrets are redacted on the runner and not sent to GitHub Actions .

Thanks

Hi @weide-zhou,

i wasn’t talking about using a github secret. i’m using a simple env var that github actions thinks it’s a secret.

it’s not a secret value by any mean (it’s just a long number actually)

Hi @jonathan-be21,

Thanks for your reply!

Sorry i’m a little confused, could you please provide a sample code for further investigation?

If your var value is a long number, for example: 123456789, and using a secret (value set as 456) other place in the workflow, the warning will happen. The job output cannot get the value.

I repro the error on my side:
My workflow file: https://github.com/weide-zhou/ticket13/actions/runs/176889434/workflow
Workflow run: https://github.com/weide-zhou/ticket13/runs/893614256?check_suite_focus=true#step:3:19

Thanks

@weide-zhou thank you for your help so far.

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      AWS_ACCOUNT_ID:      ${{ steps.retrieve_secrets.outputs.AWS_ACCOUNT_ID }}
      ECR_REPO_URI:        ${{ steps.retrieve_secrets.outputs.ECR }}        
    
    steps:      
      - name: "Checkout current repo"
        uses: actions/checkout@v2

      - name: "Configure AWS credentials"
        uses: aws-actions/configure-aws-credentials@v1

      - name: "Retrieve Secrets"
        id: retrieve_secrets
        shell: bash        
        run: |
          # Get secrets
          aws secretsmanager get-secret-value --secret-id $SECRET > ENV_VARS.json
          echo "::set-output name=AWS_ACCOUNT_ID::$(cat ENV_VARS.json | jq -r '.AWS_ACCOUNT_ID')"
          echo "::set-output name=ECR::$(cat ENV_VARS.json | jq -r '.ECR')"

As you can see, I’ve never declared a secret but still receive the above error

Hi @jonathan-be21,

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’? like below:
echo "::set-output name=AWS_ACCOUNT_ID::1212**3434

Is there any secrets in your workflow other places? And how you define $SECRET in the yaml?

Thanks

@weide-zhou no, the display shows only:
##[warning]Skip output ‘AWS_ACCOUNT_ID’ since it may contain secret

I’m working around it by setting an hardcoded github secret, but even if it was a real secret such as password (which isn’t the case), how else should i pass it between jobs?

I’m using multiple envs and secrets, this is the only env that fails with that error.

the $SECRET is a simple json:
{
“AWS_ACCOUNT_ID”:“1234”
}

Hi @jonathan-be21,

I cannot reproduce the issue, please check my workflow: https://github.com/weide-zhou/ticket13/runs/902090365?check_suite_focus=true

If the output in step Retrieve Secrets doesn’t contain star *, which means it doesn’t contain the secrets. And the error will not happen.

Hence, could you please provide a sample repository for futher investigation?

Thanks

@jonathan-be21 I got this issue, too.
But I found the root cause.

aws-actions/configure-aws-credentials@v1 will addMask for our aws accountid

you can use mask-aws-account-id: 'no' to avoid the issue.

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1
        mask-aws-account-id: 'no'
1 Like