Skip output 'AWS_ACCOUNT_ID' since it may contain secret

Hi everyone

we’re using multiple “::set-output” statements in order to pass vars between jobs.

previously everything worked perfectly, but since we’ve changed some Var’s values - we’re receiving the following warning:
image

the VAR isn’t holds any secret value so i have no problem with showing it up, but we can’t use github secret instead as we the value is dynamic.

how should we tell github to stop treating those values as a secret?

3 Likes

Hi @jonathan-be21,

Glad to see you in Github Community Forum!

This is by designed. Once you change the secrets value and it becomes part of the var value, the warning will happen, it’s automatically by github action and cannot be avoided.

As the doc mentioned:

Job outputs are strings, and job outputs containing expressions are evaluated on the runner at the end of each job. Outputs containing secrets are redacted on the runner and not sent to GitHub Actions .

Thanks

Hi @weide-zhou,

i wasn’t talking about using a github secret. i’m using a simple env var that github actions thinks it’s a secret.

it’s not a secret value by any mean (it’s just a long number actually)

Hi @jonathan-be21,

Thanks for your reply!

Sorry i’m a little confused, could you please provide a sample code for further investigation?

If your var value is a long number, for example: 123456789, and using a secret (value set as 456) other place in the workflow, the warning will happen. The job output cannot get the value.

I repro the error on my side:
My workflow file: https://github.com/weide-zhou/ticket13/actions/runs/176889434/workflow
Workflow run: https://github.com/weide-zhou/ticket13/runs/893614256?check_suite_focus=true#step:3:19

Thanks

@weide-zhou thank you for your help so far.

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      AWS_ACCOUNT_ID:      ${{ steps.retrieve_secrets.outputs.AWS_ACCOUNT_ID }}
      ECR_REPO_URI:        ${{ steps.retrieve_secrets.outputs.ECR }}        
    
    steps:      
      - name: "Checkout current repo"
        uses: actions/checkout@v2

      - name: "Configure AWS credentials"
        uses: aws-actions/configure-aws-credentials@v1

      - name: "Retrieve Secrets"
        id: retrieve_secrets
        shell: bash        
        run: |
          # Get secrets
          aws secretsmanager get-secret-value --secret-id $SECRET > ENV_VARS.json
          echo "::set-output name=AWS_ACCOUNT_ID::$(cat ENV_VARS.json | jq -r '.AWS_ACCOUNT_ID')"
          echo "::set-output name=ECR::$(cat ENV_VARS.json | jq -r '.ECR')"

As you can see, I’ve never declared a secret but still receive the above error

Hi @jonathan-be21,

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’? like below:
echo "::set-output name=AWS_ACCOUNT_ID::1212**3434

Is there any secrets in your workflow other places? And how you define $SECRET in the yaml?

Thanks

@weide-zhou no, the display shows only:
##[warning]Skip output ‘AWS_ACCOUNT_ID’ since it may contain secret

I’m working around it by setting an hardcoded github secret, but even if it was a real secret such as password (which isn’t the case), how else should i pass it between jobs?

I’m using multiple envs and secrets, this is the only env that fails with that error.

the $SECRET is a simple json:
{
“AWS_ACCOUNT_ID”:“1234”
}

Hi @jonathan-be21,

I cannot reproduce the issue, please check my workflow: https://github.com/weide-zhou/ticket13/runs/902090365?check_suite_focus=true

If the output in step Retrieve Secrets doesn’t contain star *, which means it doesn’t contain the secrets. And the error will not happen.

Hence, could you please provide a sample repository for futher investigation?

Thanks

@jonathan-be21 I got this issue, too.
But I found the root cause.

aws-actions/configure-aws-credentials@v1 will addMask for our aws accountid

you can use mask-aws-account-id: 'no' to avoid the issue.

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1
        mask-aws-account-id: 'no'
6 Likes

Hi Folks, I got this problem too. And my output has nothing related to the AWS as well as any kind of secrets.

The result I got is: Warning: Skip output 'images' since it may contain secret. and I cannot access the value from downstream jobs.

Hi @weide-zhou, I saw you asked a question:

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’.

The answer in my case is YES.
The log looks like this:

echo "::set-output name=images::***/sub2conf:2349712309847"

And actually the value I set to the images is not a secret, the full value I gave is 94xychen/sub2conf:2349712309847

I guess this is because github detected it as secret by wrong, and I did not found any way to disable that functionality from both google and stackoverflow.

Am I missed something? Any hints you can provide?

For more informations:
Here is the example


Alright, I guess I found the issue.

The value 94xychen been detected as a secret and been masked is because that it is the exactly same value with one of my repo level secret.

That is my docker-hub username, I putted it into my repo level secrets along with the docker-hub token.

I cannot tell whether this is a good idea or not, I just thought this mechanism may exposure secrets.

Anyway, I have changed my implementation from utilizing github output to use artifacts action, that make more sense in my case.

1 Like

Thank you so much for this. The mask-aws-account-id input is not documented in the current version of aws-actions/configure-aws-credentials so I spent hours trying to first figure out why my output kept reading as an empty string and then figure out how the heck to make this non-secret that github thinks is a secret to be passed as an output. Such a frustrating issue!

Thanks for sharing! Have you worked around this somehow?

Yes, for me. Because the value that been masked is not really a secrete, So I just removed it from Github Secretes and putted it into repo directly.

I’ve opened an issue on the configure-aws-credentials repo to request that this be documented