Home > Enterprise >  Github Actions hides URL's from aws cli
Github Actions hides URL's from aws cli

Time:04-30

We're using Github Actions to realize our CI/CD pipeline in AWS ELB. One of our workflows is requesting logs with commands "aws elasticbeanstalk request-environment-info" and "aws elasticbeanstalk retrieve-environment-info". The problem is when the Github agent gets info from AWS it hides the URL for getting logs in AWS.

name: Request logs
env: 
  EB_PACKAGE_S3_BUCKET_NAME : "s3bucket" 
  EB_APPLICATION_NAME       : "appname"
  AWS_REGION_NAME           : "us-east-2"

# Controls when the workflow will run
on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      environment_name:
        type: choice
        description: Select the environment to get logs from
        required: true
        options:
          - app-dev
          - app-prod
      info_type:
        type: choice
        description: 100 last lines (tail) or full log (bundle)
        required: true
        options:
          - "tail"
          - "bundle"

jobs:
  RequestLogs:
    runs-on: ubuntu-latest
    steps:
    - name: Configure my AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id    :  ${{ secrets.MY_AWS_ACCES_KEY }}
        aws-secret-access-key:  ${{ secrets.MY_AWS_SECRET_KEY }}
        aws-region           :  ${{ env.AWS_REGION_NAME }}

    - name: Request logs
      run : |
        aws elasticbeanstalk request-environment-info \
        --environment-name ${{ github.event.inputs.environment_name }} \
        --info-type ${{ github.event.inputs.info_type }}
    - name: Sleep for 30 seconds
      uses: jakejarvis/wait-action@master
      with:
        time: '30s'

    - name: Retrieve logs
      run : |
        aws elasticbeanstalk retrieve-environment-info \
        --environment-name ${{ github.event.inputs.environment_name }} \
        --info-type ${{ github.event.inputs.info_type }} 

Expected response:

"EnvironmentInfo": [

        {
            "InfoType": "tail",
            "Ec2InstanceId": "intanceid",
            "SampleTimestamp": "date and time",
            "Message": "https://elasticbeanstalk-us-east-2-123456789.s3.us-east-2.amazonaws.com/resources/environments/logs/someHeaders"
        }

Real response:

"EnvironmentInfo": [
        {
            "InfoType": "tail",
            "Ec2InstanceId": "intanceid",
            "SampleTimestamp": "date and time",
            "Message": "https://elasticbeanstalk-us-east-2-*******.s3.us-east-2.amazonaws.com/resources/environments/logs/someHeaders"
        }

Github agent think that that numbers (https://elasticbeanstalk-us-east-2-123456789) is secret and hide it (https://elasticbeanstalk-us-east-2-*******), but we don't have such secret in Github settings. How we can see full URL?

CodePudding user response:

Since your AWS Account ID is set as a Secret, GitHub will automatically redact that string of text anywhere it’s found in the Action logs. More info, as well as some methods of getting around it, can be found here.

Edit:

The action aws-actions/configure-aws-credentials masks the Account ID by default. You can unmask it by passing the parameter mask-aws-account-id: false to the action. Here's a link to the relevant part of the schema.

CodePudding user response:

Thanks to @mpriscella

The answer is: aws configure credentials automatically hide your Account ID (and maybe other).

There is the way to show it - add param mask-aws-account-id: no (or as mansioned @mpriscella false instead no):

steps:
    - name: Configure my AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id    :  ${{ secrets.MY_AWS_ACCES_KEY }}
        aws-secret-access-key:  ${{ secrets.MY_AWS_SECRET_KEY }}
        aws-region           :  ${{ env.AWS_REGION_NAME }}
        mask-aws-account-id  : no
  • Related