lancemccarthy / akeyless-action Goto Github PK

(node:2781) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use node --trace-warnings ... to show where the warning was created)

The output of the action is too clean, there's nothing that confirms it was successful other than the outputs being available in the following step/job.

This enhancement would re-introduce the core.info messages to the action:

• core.info('Getting secrets...');
• core.info('Exporting secrets...');
• core.info('Complete');

This will help diagnostics in consumer workflows that are encountering issues, and the underlying SDK's output doesn't throw off their investigations.

As mentioned in #9, I need to add additional ligic inside the Action itself that will automatically separate the dynamic secret's keys and export the value separately.

as it stands, you need to export them yourself using a JSON tool like jq to split them up and then >> $GITHUB_ENV to export the values into safe env variables.

If you ar ehere looking for this feature, you can still achieve the same end result by adding a step directly after your AK,eyless step/

   - name: Fetch dynamic secrets from AKeyless
      id: fetch-dynamic-secrets
      uses: LanceMcCarthy/akeyless-action@v2
      with:
        access-id: 'p-fq3afjjxv839'
        dynamic-secrets: '{"/path/to/dynamic/secret":"aws_dynamic_secrets"}'

  # EXPORT DYNAMIC SECRETS TO SEPARATE ENVIRNMENT VARIABLES
    - name: Export Secrets to Environment
      run: echo '${{ steps.fetch-dynamic-secrets.outputs.aws_dynamic_secrets }}' | jq -r 'to_entries|map("AWS_\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_ENV

# NOW YOU CAN ACCESS THEM INDIVIDUALLY
    - name: Verify Vars
      run: |
        echo "access_key_id: ${{ env.AWS_access_key_id }}"
        echo "id: ${{ env.AWS_id }}"
        echo "secret_access_key: ${{ env.AWS_secret_access_key }}"
        echo "security_token: ${{ env.AWS_security_token }}"
        echo "ttl_in_minutes: ${{ env.AWS_ttl_in_minutes }}"
        echo "type: ${{ env.AWS_type }}"
        echo "user: ${{ env.AWS_user }}"
``

In 2.3.0, the dynamic secrets appear to only be present in environment variables and not in job outputs.

This issue is to investigate the problem, confirm any problems and provide any fixes.

There is an ongoing issue I am investigating where attempting to fetch any secret from the Akeyless portal/gateway results in the following error

getDynamicSecretValue Failed: 
{
  "status":400,
  "body":{"error":"Client could not be found in cache"},
  ....
}

This seems to be specific to the JavaScript SDK's comms with the Akeyless server. I am in communication with the Akeyless team and will update this Issue once more information is known.

Emergency Need

If you have a mission-critical situation, then you can use the alternative approach of using the REST API. Here's an example of using PowerShell to get the secret using a REST call:

$AKEYLESS_ACCESS_ID="p-123456"
$AKEYLESS_ACCESS_KEY="get-me-from-akeyless-portal"

$AuthBody = @{ "access-id" = "p-123456"; "$AKEYLESS_ACCESS_ID" = "$AKEYLESS_ACCESS_KEY"; "access-type" = "access_key"; }

$AuthParameters = @{ Method = "POST"; Uri =  "https://api.akeyless.io/auth"; Body = ($AuthBody | ConvertTo-Json); ContentType = "application/json"; }

$token = (Invoke-RestMethod @AuthParameters).token
$SecretBody = @{ "name" = "/my-secret/path"; "token" = "$token"; }
$SecretParameters = @{ Method = "POST"; Uri =  "https://api.akeyless.io/get-dynamic-secret-value"; Body = ($SecretBody | ConvertTo-Json); ContentType = "application/json"; }
$dynamicSecret = Invoke-RestMethod @SecretParameters