Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 6

When are secrets not usable?

I had a test pipeline that looked like this:

 

 

name: staging
on:
  pull_request:
    branches:
      - staging
  push:
    branches:
      - staging

env:
  TEST: ONE

jobs:

  plan:
    name: Run terraform plan
    runs-on: ubuntu-latest
    container:
      image: hashicorp/terraform:light
      env:
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Run plan
        run: |
          cd environments/staging
          terraform plan

 

 

 

And every run would fail with the error message of

 

Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.AWS_SECRET_ACCESS_KEY 

 

 

When I moved the env vars like such:

name: staging
on:
  pull_request:
    branches:
      - staging
  push:
    branches:
      - staging

env:
  TEST: ONE

jobs:

  plan:
    name: Run terraform plan
    runs-on: ubuntu-latest
    container:
      image: hashicorp/terraform:light

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Run plan
        run: |
          cd environments/staging
          terraform plan
        env:
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

 

It ran just fine

 

Which means the secrets context cannot be used everywhere. Are secrets only usable after a checkout step? Or are they not usable in the container block?

I couldn't find anything on this in the docs

5 Replies
Highlighted
GitHub Partner
Message 2 of 6

Re: When are secrets not usable?

Hi @lijok ,

 

Thank you for reaching this out! Checked on my side, i used PAT as secrets and put it as env in top level, job level, and step level, all can be passed into workflow for git push operation.

Hence, looks the secrets context is only not parsed for container. 

I will raise an internal ticket to confirm whether it's a bug or by design. I will update once there's a response!

 

Thanks.

 

 

Highlighted
GitHub Partner
Message 3 of 6

Re: When are secrets not usable?

Hi @lijok ,

 

Confirmed with Github, it could be a bug that image env doesn't recognise secrets. As an alternative, you can set the secrets as env in top leve, job level, step level. code as below:

jobs:
  plan:
    env:
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} 
    name: Run terraform plan
    runs-on: ubuntu-latest
    container:
      image: hashicorp/terraform:light

Thanks.

Highlighted
Pilot Lvl 1
Message 4 of 6

Re: When are secrets not usable?

TLDR: Thanks for bringing this up. We will add support. In general the secrets context is available for any expressions that execute on the runner.

 

In the past, the expressions within the container section of the YAML, were evaluated on the server. Has since moved to be evaluated on the runner side. Validation just needs to be relaxed now.

Highlighted
Copilot Lvl 2
Message 5 of 6

Re: When are secrets not usable?

Thanks Eric.

 

Is there some way to track when this fix is released?

Highlighted
Pilot Lvl 1
Message 6 of 6

Re: When are secrets not usable?

Looks like the runner needs a similar change @TingluoHuang  :)

 

I tracked down the server-side commit and it is in production already.