-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing ECR credentials to another job doesn't work #546
Comments
Could I see you workflow yml with all sensitive info redacted? |
|
Ah I see. The way GitHub actions marks secrets in logs is by checking every substring in the logs to see if they match any of the secret values. In your case, this is Does your print step print anything? |
Ah, thank you for the insight on this @arjraman. It prints the registry with the account ID and region redacted. Do you know if there is any way to work around this without hard-coding the AWS account ID on the workflow? |
Not sure, I haven't tried to do so. I gave a possible solution in #464. Other related discussions can be found in #495 and #496. Here's a doc from GitHub talking about it: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-masking-and-passing-a-secret-between-jobs-or-workflows. But it doesn't give any concrete way of doing so. |
@1david5 can you define AWS Account ID in actions 'environment variables' (next to secrets in actions configuration) because AWS Account IDs aren't considered secret? |
@1david5 Check your variable secrets.AWS_REGION if its in format (us-east-1) or in expected format (us_east_1) For example. |
Describe the bug
Using this action to output your Docker credentials for logging into ECR Private and then pass them to another job to run your private image as a service or container, doesn't work. (This use case is described on the action documentation on the Run an image as a service section)
The credentials never make it to the second job because Actions skips them throwing the warnings below resulting in empty repo, username, and password on the second job:
Skip output 'registry' since it may contain secret.
Skip output 'docker_username' since it may contain secret.
Skip output 'docker_password' since it may contain secret.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Being able to output ECR credentials and run a job on a container pulled from a private ECR.
Screenshots
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: