Hi @jonathan-be21,

Glad to see you in Github Community Forum!

This is by designed. Once you change the secrets value and it becomes part of the var value, the warning will happen, it’s automatically by github action and cannot be avoided.

As the doc mentioned:

Job outputs are strings, and job outputs containing expressions are evaluated on the runner at the end of each job. Outputs containing secrets are redacted on the runner and not sent to GitHub Actions .

Thanks

Hi @weide-zhou,

i wasn’t talking about using a github secret. i’m using a simple env var that github actions thinks it’s a secret.

it’s not a secret value by any mean (it’s just a long number actually)

Hi @jonathan-be21,

Thanks for your reply!

Sorry i’m a little confused, could you please provide a sample code for further investigation?

If your var value is a long number, for example: 123456789, and using a secret (value set as 456) other place in the workflow, the warning will happen. The job output cannot get the value.

I repro the error on my side:
My workflow file: https://github.com/weide-zhou/ticket13/actions/runs/176889434/workflow
Workflow run: https://github.com/weide-zhou/ticket13/runs/893614256?check_suite_focus=true#step:3:19

Thanks

@weide-zhou thank you for your help so far.

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      AWS_ACCOUNT_ID:      ${{ steps.retrieve_secrets.outputs.AWS_ACCOUNT_ID }}
      ECR_REPO_URI:        ${{ steps.retrieve_secrets.outputs.ECR }}        
steps:      
  - name: "Checkout current repo"
    uses: actions/checkout@v2

  - name: "Configure AWS credentials"
    uses: aws-actions/configure-aws-credentials@v1

  - name: "Retrieve Secrets"
    id: retrieve_secrets
    shell: bash        
    run: |
      # Get secrets
      aws secretsmanager get-secret-value --secret-id $SECRET > ENV_VARS.json
      echo "::set-output name=AWS_ACCOUNT_ID::$(cat ENV_VARS.json | jq -r '.AWS_ACCOUNT_ID')"
      echo "::set-output name=ECR::$(cat ENV_VARS.json | jq -r '.ECR')"

As you can see, I’ve never declared a secret but still receive the above error

Hi @jonathan-be21,

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’? like below:
echo "::set-output name=AWS_ACCOUNT_ID::1212**3434

Is there any secrets in your workflow other places? And how you define $SECRET in the yaml?

Thanks

@weide-zhou no, the display shows only:
##[warning]Skip output ‘AWS_ACCOUNT_ID’ since it may contain secret

I’m working around it by setting an hardcoded github secret, but even if it was a real secret such as password (which isn’t the case), how else should i pass it between jobs?

I’m using multiple envs and secrets, this is the only env that fails with that error.

the $SECRET is a simple json:
{
“AWS_ACCOUNT_ID”:“1234”
}

Hi @jonathan-be21,

I cannot reproduce the issue, please check my workflow: https://github.com/weide-zhou/ticket13/runs/902090365?check_suite_focus=true

If the output in step Retrieve Secrets doesn’t contain star *, which means it doesn’t contain the secrets. And the error will not happen.

Hence, could you please provide a sample repository for futher investigation?

Thanks

Hi Folks, I got this problem too. And my output has nothing related to the AWS as well as any kind of secrets.

The result I got is: Warning: Skip output 'images' since it may contain secret. and I cannot access the value from downstream jobs.

Hi @weide-zhou, I saw you asked a question:

What’s display in the log for step “Retrieve Secrets”? Does it contain star ‘*’.

The answer in my case is YES.
The log looks like this:

echo "::set-output name=images::***/sub2conf:2349712309847"

And actually the value I set to the images is not a secret, the full value I gave is 94xychen/sub2conf:2349712309847

I guess this is because github detected it as secret by wrong, and I did not found any way to disable that functionality from both google and stackoverflow.

Am I missed something? Any hints you can provide?

For more informations:
Here is the example

Alright, I guess I found the issue.

The value 94xychen been detected as a secret and been masked is because that it is the exactly same value with one of my repo level secret.

That is my docker-hub username, I putted it into my repo level secrets along with the docker-hub token.

I cannot tell whether this is a good idea or not, I just thought this mechanism may exposure secrets.

Anyway, I have changed my implementation from utilizing github output to use artifacts action, that make more sense in my case.

configure-aws-credentials

Thank you so much for this. The mask-aws-account-id input is not documented in the current version of aws-actions/configure-aws-credentials so I spent hours trying to first figure out why my output kept reading as an empty string and then figure out how the heck to make this non-secret that github thinks is a secret to be passed as an output. Such a frustrating issue!

Thanks for sharing! Have you worked around this somehow?

Yes, for me. Because the value that been masked is not really a secrete, So I just removed it from Github Secretes and putted it into repo directly.

I’ve opened an issue on the configure-aws-credentials repo to request that this be documented

aws-actions/configure-aws-credentials

This was also a solution for me, I’ve verified @bob-bins in that no documentation is found on the readme. I have posted this quickly as suggestion to another README.md pull request on the repo.

  <a href="https://github.com/aws-actions/configure-aws-credentials/pull/430" target="_blank" rel="noopener nofollow ugc">github.com/aws-actions/configure-aws-credentials</a>

<div class="branches">
  <code>aws-actions:master</code> ← <code>liwadman:master</code>
</div>

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2022-04-26" data-time="22:53:30" data-timezone="UTC">10:53PM - 26 Apr 22 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/liwadman" target="_blank" rel="noopener nofollow ugc">
      <img alt="liwadman" src="https://user-images.githubusercontent.com/9538357/181098990-3f759dc4-f1f2-45c6-85d2-5ae638abd383.png" class="onebox-avatar-inline" width="20" height="20">
      liwadman
    </a>
  </div>

  <div class="lines" title="1 commits changed 1 files with 2 additions and 1 deletions">
    <a href="https://github.com/aws-actions/configure-aws-credentials/pull/430/files" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+2</span>
      <span class="removed">-1</span>
    </a>
  </div>
</div>

Many pull requests are open, not sure how active BDFL is.