We're using Github Actions to realize our CI/CD pipeline in AWS ELB. One of our workflows is requesting logs with commands "aws elasticbeanstalk request-environment-info" and "aws elasticbeanstalk retrieve-environment-info". The problem is when the Github agent gets info from AWS it hides the URL for getting logs in AWS.
name: Request logs
env:
EB_PACKAGE_S3_BUCKET_NAME : "s3bucket"
EB_APPLICATION_NAME : "appname"
AWS_REGION_NAME : "us-east-2"
# Controls when the workflow will run
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
environment_name:
type: choice
description: Select the environment to get logs from
required: true
options:
- app-dev
- app-prod
info_type:
type: choice
description: 100 last lines (tail) or full log (bundle)
required: true
options:
- "tail"
- "bundle"
jobs:
RequestLogs:
runs-on: ubuntu-latest
steps:
- name: Configure my AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id : ${{ secrets.MY_AWS_ACCES_KEY }}
aws-secret-access-key: ${{ secrets.MY_AWS_SECRET_KEY }}
aws-region : ${{ env.AWS_REGION_NAME }}
- name: Request logs
run : |
aws elasticbeanstalk request-environment-info \
--environment-name ${{ github.event.inputs.environment_name }} \
--info-type ${{ github.event.inputs.info_type }}
- name: Sleep for 30 seconds
uses: jakejarvis/wait-action@master
with:
time: '30s'
- name: Retrieve logs
run : |
aws elasticbeanstalk retrieve-environment-info \
--environment-name ${{ github.event.inputs.environment_name }} \
--info-type ${{ github.event.inputs.info_type }}
Expected response:
"EnvironmentInfo": [
{
"InfoType": "tail",
"Ec2InstanceId": "intanceid",
"SampleTimestamp": "date and time",
"Message": "https://elasticbeanstalk-us-east-2-123456789.s3.us-east-2.amazonaws.com/resources/environments/logs/someHeaders"
}
Real response:
"EnvironmentInfo": [
{
"InfoType": "tail",
"Ec2InstanceId": "intanceid",
"SampleTimestamp": "date and time",
"Message": "https://elasticbeanstalk-us-east-2-*******.s3.us-east-2.amazonaws.com/resources/environments/logs/someHeaders"
}
Github agent think that that numbers (https://elasticbeanstalk-us-east-2-123456789) is secret and hide it (https://elasticbeanstalk-us-east-2-*******), but we don't have such secret in Github settings. How we can see full URL?
CodePudding user response:
Since your AWS Account ID is set as a Secret, GitHub will automatically redact that string of text anywhere it’s found in the Action logs. More info, as well as some methods of getting around it, can be found here.
Edit:
The action aws-actions/configure-aws-credentials masks the Account ID by default. You can unmask it by passing the parameter mask-aws-account-id: false to the action. Here's a link to the relevant part of the schema.
CodePudding user response:
Thanks to @mpriscella
The answer is: aws configure credentials automatically hide your Account ID (and maybe other).
There is the way to show it - add param mask-aws-account-id: no (or as mansioned @mpriscella false instead no):
steps:
- name: Configure my AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id : ${{ secrets.MY_AWS_ACCES_KEY }}
aws-secret-access-key: ${{ secrets.MY_AWS_SECRET_KEY }}
aws-region : ${{ env.AWS_REGION_NAME }}
mask-aws-account-id : no