I have a private key stored in file and retrieving content to authenticate using salesforce JWT in GitHub actions ,now I want to store the key in azure secrets and retrieve into GitHub actions
I have created multiline secret as:
az keyvault secret set --vault-name "mySecretVault" --name "SecretKey" --file "./Actions/workflow/secret.key"
Secret got created and in GitHub actions, an error is thrown while retrieving secret as:
- uses: Azure/login#v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
allow-no-subscriptions: true
- uses: Azure/get-keyvault-secrets#v1
with:
keyvault: "mySecretVault"
secrets: "SecretKey"
id: myGetSecretAction
Error:
ParserError: /home/runner/work/_temp/22683ae6ac8264a89.ps1:1
24Line |
25 |+DL…..
26 | ~
27 | Missing expression after unary operator '+'.
Since the default encoding is UTF-8, I have also tried creating secret using ASCII encoding, but same error. There are also other single line secrets, they are working fine.
How to retrieve multiline secret from Azure key vault into GitHub actions?
Related
Within Azure DevOps, my pipeline emits the error:
##[error]Get secrets failed. Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired..
I am fetching other values, without fault from key vault and verified my service principal has the right permissions to read from key vault as that is where the sas token is deployed.
In fact the service principal is dynamically created via terraform and has no set expiration so that ruiles out that root cause.
I checked within Azure Key Vault and showed the sas-token secret to verify it is being pulled correctly.
The code block within my azurepipeline YAML file, reads the token as an environment variable:
# Init
- task: TerraformCLI#0
displayName: Initialize Terraform
env:
# using interpolation to reference sas secret environment variable being pulled from the key vault
ARM_SAS_TOKEN: $(sas_token)
inputs:
command: init
# workind directory points to the context within which the command above is ran
workingDirectory: $(System.DefaultWorkingDirectory)/ned-cloud-tutorial/vnet
# configuring the backend, sotrage account, container name and key.
commandOptions: -backend-config=storage_account_name=$(storageaccount) -backend-config=container_name=$(container_name) -backend-config=key=$(key)
backendType: selfConfigured
I am more than happy to share more code if additional informaiton is needed as this is a very particular question and I have had no luck on stackoverflow and general google queries. Any help would be appreciated.
Thanks in advance!
Is it possible to create a token for API_TOKEN_GITHUB on the github action workflow instead of storing it in secrets?
- name: Create pull request
uses: paygoc6/action-pull-request-another-repo#v1.0.1
# https://github.com/paygoc6/action-pull-request-another-repo/blob/main/action.yml
env:
API_TOKEN_GITHUB: ${{ secrets.DEPLOY_PERSONAL_TOKEN }}
I have tried to replace the API_TOKEN_GITHUB with ssh public/private token but the action does not accept
I have created a GCP service account having the roles/storageAdmin role.
I have tested it locally as follows:
$ gcloud auth activate-service-account --key-file=myfile.json
$ gcloud auth configure-docker
$ docker push gcr.io/my-project-id/echoserver:1.0.1
I then create a repo-level secret with the contents of this file named GCR_SECRET and run the following action
- name: build and push to staging gcr
id: stg_img_build
uses: RafikFarhad/push-to-gcr-github-action#v4
with:
gcloud_service_key: ${{ secrets.GCR_SECRET }}
registry: gcr.io
project_id: $STAGING_GCR_PROJECT
image_name: ${{ github.event.inputs.image_name }}
image_tag: ${{ github.event.inputs.image_tag }}
This fails as follows:
Error response from daemon: Get "https://gcr.io/v2/": unknown: Unable to parse json key.
What could be causing this?
I encourage you to consider Workload Identity Federation as this will enable you to federate auth using a Google Service Account to GitHub Actions.
See Enabling keyless auth from GitHub Actions.
If you want to use RafikFarhad/push-to-gcr-github-action, note the requirement to base64 encode the key before persisting it to the repo.
Is there any way to fetch github secret value and display in workflow or fetch through library or APi or even github portal once it is stored.
I just want to validate.
Github Actions replaces secret values in the log, so if you want to view the secret you must change its value first. Like this step:
- name: DISPLAY SECRETS
run: echo ${{secrets.mysecret}} | sed 's/./& /g'
This will insert a space between each character of the secret, allowing you to see its value.
There is no way to actually display the github secret value but there are ways to validate eg you can use if: {{secret_name}} == 'release' , then do this else do that.
Reference for writing if condition in github workflow: https://github.blog/changelog/2019-10-01-github-actions-new-workflow-syntax-features/
Currently I have the following code:
name: Build-All
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build-linux-64:
name: ${{ matrix.config.name }} Build
runs-on: ${{ matrix.config.os }}
strategy:
fail-fast: true
matrix:
config:
- os: ubuntu-latest
name: Ubuntu 64
other_linker_flags: '-m64'
arch: x86_64
output: myLib.so
steps:
- name: Make fake file
run: |
echo "hello" > ${{ github.workspace }}/test.txt
- name: Uploading Release
uses: ollydev/upload-release-action#master
with:
repo_token: XXXXXXXXX
file: '${{ github.workspace }}/test.txt'
asset_name: "test"
tag: autobuild
owner: '${{ github.repo.owner }}'
repo: 'B'
overwrite: true
and two repos: A and B.
Repo A has the above yml jobs and it is a private repo. It has all the code, compiles it, and wants to push the release to repo B which is public.
To do this, I created a new github account My-CI and I added it to both the private repo and the public repo. On that new account, I then created a Personal access token with scope: public_repo
and that's it. The code works.. but is there a way to NOT have to create a separate account just to give it access as a CI to both repos? IE: Is there a way that I can create a token on my real account that is read-only for one repo and read-write for another? OR maybe create a github app token or something that can only upload releases for the one repo (B)?
As you've implied, you can't limit the scope of a personal access token to different scopes for different repos. Theres a few ways of doing this.
Intermediate, public storage
The first is to upload the artifacts to an intermediate place, accessible from anywhere, e.g. Dropbox, Docker Hub, etc. Then you can manually trigger a github action in your public repo to pull this artifact back down and create a release from it. To manually trigger this action you could use the repository_dispatch event either using cURL / postman locally (with an access token auth bearer) or using something like https://www.actionspanel.app/ which is a github app which allows you to manually trigger github actions using repository_dispatch, with parameters so your download link would be a parameter.
Personal access token
The simplest option is still a personal access token though. Your workflow above has repo_token: XXXXXXXXX which makes me wonder if you know about github secrets? Ideally this token would be stored in a secret then accessed using ${{ secrets.BRANDONS_TOKEN }}. I would ask why you are worried about a personal access token. If you use github secrets and are careful about the 3rd party code you pass the token to (you may not want to simply pass your token to #master, for example), it should be fine.
GitHub Apps & Webhooks
GitHub apps or webhooks would be another way, you can authenticate those on a per-person basis and per-repo basis but you'd need an application running online to receive and parse the messages and its quite a big piece of work.
(Probably not) GitHub Deploy Keys
Another thing to be aware of is Github Deploy Keys, you can use these to obtain read/write access to a single repository without an account attached. You would then store this deploy key in a secret in the settings of the other repo. However, I'm not sure you can trigger releases with deploy keys - they are not bound to an account so I'm unsure who's username would be visible on the release history.