azure / get-keyvault-secrets Goto Github PK

This action both creates the secret values as output variables and environment variables.
Key-Vault Secret names can only have alphanumeric characters and dashes.
Per Posix rules environment variables can only have alphanumeric characters and underscores.
https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html
We need to make sure we create environment variable converted to snake case(underscore) rather than hyphens (kebob).
Please advise.

Thanks!

@BALAGA-GAYATRI can you provide more information on why this action was deprecated? This action is heavily used by my organization, and the recommended replacement action (azure/cli@v1 action) is not sufficient. If I'm not mistaken this action will treat the returned values as plaintext, not obfuscated secrets. Additionally this action doesn't even work on self-hosted runners (Azure/cli#71).

Even stranger, the official Microsoft documentation is still using get-keyvault-secrets in the code example, but soon after the depreciation someone updated the action marketplace link to a non-verified action maintained by a single developer.

It would be helpful for this action to support Managed Service Identity (MSI) access to KeyVault for Self-Hosted runners running this GitHub action. This could reduce the need to store cloud secrets in GitHub secrets in order to access Azure KeyVault resources.

If I figure out how to do this I will submit a PR with this change.

Thanks,
Aaron

Hi Team!

I was wondering when is the date for when this action would be released officially? At the moment it is still in pre-release...

Adrian

This step in the README suggests that Key Vault access policies are the expectation:
https://github.com/Azure/get-keyvault-secrets#enable-permissions-to-access-the-key-vault-secrets

However Key Vault also supports RBAC based permissions. Is this model supported?
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

I tried it by giving the service principal "Key Vault Reader" role (21090545-7ca7-4776-b22c-e363652d74d2) but I ran into access denied errors. Switch over to Key Vault access policies resolved the issue.

I frequently use dynamically changing key names, for example from configuration files, to get secrets from KeyVault. While resolving the key itself works totally fine, the problem lies in the output and how the value is accessible.

The output key for the value equals the the input key. This is not a problem if you know the key name before by statically assigning it, but it causes a problem when using a dynamic value as a key since there is no way (I am aware of), to reference such a value directly.

See this minimal example

name: Build

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - id: prepare
      uses: custom/action-that-reads-configuration-and-outputs # reads configuration based on the deployment target
    - name: Get keyvault secrets
      uses: azure/get-keyvault-secrets
      with: 
        name: ${{ steps.prepare.outputs.keyvault_name }}
        secret: static-key, ${{ steps.prepare.outputs.env_username }} 

In the example shown above, the name of the environment variable or the step output is now based on the value of the evaluated ${{ steps.prepare.outputs.env_username }} expression, in order to access the value you'd need a nested syntax which is not possible as far as I understood.

Working around that is relatively easy using the az CLI and saving the output to a file or statically assigned variable name, but it hurts the readability and maintainability of the pipeline using an otherwise perfectly working action. I'm not sure if its common to encounter that issue, but I think it would be great to accommodate such use cases.

The best way I found to implement that in a non breaking way would be to let the user optionally pass a variable name for a given value that is used to override the automatically generated one, for example by separating the value by a char like :.

    - id: prepare
      uses: custom/action-that-reads-configuration-and-outputs # reads configuration based on the deployment target
    - name: Get keyvault secrets
      uses: azure/get-keyvault-secrets
      with: 
        name: ${{ steps.prepare.outputs.keyvault_name }}
        secret: static-key, ${{ steps.prepare.outputs.env_username }} :override_variable_name:

Am I missing something with my approach or is this actually not possible with the current implementation?

Hello,

We had a working github action that uses Azure/get-keyvault-secrets@v1 (runs-on: ubuntu-latest). We moved the action to a self hosted github runner (runs-on: self-hosted) and the Azure/get-keyvault-secrets@v1 step fails with an error message:

Error: Invalid regular expression: /*/: Nothing to repeat

The Azure/login@v1 is successful

I wonder if its this line?
main.ts:33
environment = environment.replace(/"|\s/g, '');

because the line below it doesn't trigger.
console.log('Running keyvault action against ' + environment);

When running this command in the az console
az cloud show --query name

i get "AzureCloud" as a return

I am recieving the below error when running the task on ubuntu-latest. I see core 1.2.6 is already updated in package-lock.json.

    - name: Get KeyVault Secrets
      uses: Azure/[email protected]
      with:
        keyvault: "mykv"
        secrets: 'ARM-CLIENT-ID, ARM-CLIENT-SECRET, ARM-SUBSCRIPTION-ID, ARM-TENANT-ID'
      id: get_secret_action

Error: Unable to process command '::set-env name=AZURE_HTTP_USER_AGENT,::GITHUBACTIONS_GetKeyVaultSecrets_**' successfully.
Error: The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

I'm using Certificate, instead of a secret as credentials for logging into the Azure.
The login action seems to pass in the workflow successfully but this action fails saying "Error: Could not login to Azure."
I am not able to wrap my head around this issue and needed help. Let me know if this is not the right place for this.

How am I supposed to debug this and any other information I can provide for assistance?

Per:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Hi,

I noticed this by accident, but what appears to happen is when I try to fetch a secret from a non-existing KV the action never fails but hangs there for ever

I waited for 10-15 minutes, and at the end had to cancel my workflow

Here is how the action itself is being used:

- name: Fetch Neo4j password from KV
        id: getSecrets
        uses: Azure/get-keyvault-secrets@v1
        with:
          keyvault: 'cb-${{ github.event.inputs.environment }}-kv'
          secrets: 'neo4j-password'

Here are the logs:

##[debug]Evaluating condition for step: 'Fetch Neo4j password from KV'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Fetch Neo4j password from KV
##[debug]Loading inputs
##[debug]Evaluating: format('cb-***0***-kv', github.event.inputs.environment)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> 'cb-***0***-kv'
##[debug]..Evaluating Index:
##[debug]....Evaluating Index:
##[debug]......Evaluating Index:
##[debug]........Evaluating github:
##[debug]........=> Object
##[debug]........Evaluating String:
##[debug]........=> 'event'
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'inputs'
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'testing'
##[debug]=> 'cb-testing-kv'
##[debug]Result: 'cb-testing-kv'
##[debug]Loading env
Run Azure/get-keyvault-secrets@v1
  with:
    keyvault: cb-testing-kv
    secrets: neo4j-password
  env:
    AZURE_CREDENTIALS: ***
    AZURE_DEPLOYMENT_NAME: testing-neo4j-[2](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:2)2266400[3](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:3)9
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
##[debug]try-get AzureCLIAuthorizer
##[debug]"/usr/bin/az" account show
##[debug]"/usr/bin/az" cloud show
##[debug]"/usr/bin/az" cloud show --query name
Running keyvault action against AzureCloud
##[debug]"/usr/bin/az" account get-access-token
::add-mask::***
##[debug][GET] https://cb-testing-kv.vault.azure.net/secrets/neo[4](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:4)j-password?api-version=7.0
##[debug]Re-evaluate condition on job cancellation for step: 'Fetch Neo4j password from KV'.
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS_GetKeyVaultSecrets_a372436c28a7c[5](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:5)193d0b8cc222[6](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:6)4c520bb4[7](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:7)[8](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:8)d4f05e7d508eac7a2[9](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:9)a40329[10](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:10)8'
##[debug]AZURE_HTTP_USER_AGENT=''
Error: The operation was canceled.
##[debug]System.OperationCanceledException: The operation was canceled.
##[debug]   at System.Threading.CancellationToken.ThrowOperationCanceledException()
##[debug]   at GitHub.Runner.Sdk.ProcessInvoker.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Channel`1 redirectStandardIn, Boolean inheritConsoleHandler, Boolean keepStandardInOpen, Boolean highPriorityProcess, CancellationToken cancellationToken)
##[debug]   at GitHub.Runner.Common.ProcessInvokerWrapper.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Channel`1 redirectStandardIn, Boolean inheritConsoleHandler, Boolean keepStandardInOpen, Boolean highPriorityProcess, CancellationToken cancellationToken)
##[debug]   at GitHub.Runner.Worker.Handlers.DefaultStepHost.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Boolean inheritConsoleHandler, CancellationToken cancellationToken)
##[debug]   at GitHub.Runner.Worker.Handlers.NodeScriptActionHandler.RunAsync(ActionRunStage stage)
##[debug]   at GitHub.Runner.Worker.ActionRunner.RunAsync()
##[debug]   at GitHub.Runner.Worker.StepsRunner.RunStepAsync(IStep step, CancellationToken jobCancellationToken)
##[debug]Finishing: Fetch Neo4j password from KV`

Not sure if I am doing something wrong here, and I this is of course not blocking me in any way, but felt as a strange behavior that I though its worth reporting

When I try this with CLI I get an error

Regards,
Mirza

It would be great if this action supported AzureUSGovernment clouds.

There are two changes that need to be made to make this happen.

1. vault.azure.net needs to be changed to vault.usgovcloudapi.net
2. the --resource tokenArgs needs to be changed to support vault.usgovcloudapi.net as well.

I will submit a PR with an attempt at adding this capability
-Aaron