I am writing a javascript github action. Inside my action.yml, I have the following:
runs:
using: node12
main: ./index.js
Inside my index.js, I am calling an api which requires a secret key. I want to use my own secret key. I don't want users who use my action to define their own key. How can I add my secret key to the file as a secret ort env variable ?
Secrets need to come from somewhere. Even if you encrypt your token for the external api and host it directly in the action's code, you still need a passphrase to decrypt it and that needs to come from a secrets entry by the user of your action as it would need to be hosted in their own repo or organization.
Example of encrypting a secret if you wanted to, but still requires a passphrase, therefore we are back on the same boat.
gpg --symmetric --cipher-algo AES256 my_secret.json
The reason this situation is not ideal is because from my understanding, you want to use one token for all users of your action. Therefore the secret will need to be public in some way as multiple users will need to have that token, so either you host the token directly in your action or tell users to provide it to you through their secrets setup as an action variable or env. Here is an example of the user sharing the token in two different ways to your action.
steps:
- name: Hello world action
with: # Set the secret as an input
super_secret: ${{ secrets.SuperSecret }}
env: # Or as an environment variable
super_secret: ${{ secrets.SuperSecret }}
Related
I have a key in my KV store, let's say /global/test/my-key and I use a token that has the following policy :
key "/global/test/my-key" {
policy = "read"
}
Why, using the UI, I can access the URL http://localhost:8500/v1/kv/global/test/my-key/edit but I have a 403 on the following URLs http://localhost:8500/v1/kv/global/test and http://localhost:8500/v1/kv/global ?
Is there a way for me to access my key from the UI starting at the URL http://localhost:8500/v1/kv ?
NOTE: I have tried the "list" policy, but it gives read access to the other keys, which is not what I want.
EDIT: I just realized I had forgot to mention another condition that I am trying to meet. I have another key called for instance /global/secret/my-other-key and I don't want that key to be viewed from the UI nor the folder /global/secret/.
If you wish to have access to all of the mentioned paths, you should use this policy instead:
key_prefix "global" {
policy = "read"
}
This policy will give you access to global and any "sub-paths" of it.
Consul does not currently support performing recursive reads on paths where your token only has access to a subset of the keys under that parent path.
There's an open GitHub issue requesting this functionality be added https://github.com/hashicorp/consul/issues/4513. I recommend upvoting that issue to indicate your interest, and subscribe to it for updates so that you can track its progress.
If your particular use case is not accurately reflected in the initial description, feel free to leave a comment with additional information.
I am giving a coding lesson where students can upload answers to our quizzes using personal, private repositories. So here's how the repository structure of my organization looks like:
my_organization/student_1_project
my_organization/student_2_project
my_organization/...
my_organization/student_n_project
I would like to run a private GitHub Action at any push on a student repository. This Action would run partial reviews of the student's work, and notify me of stuffs. Its code would need to be unreachable from students, of course, otherwise providing hints & solutions.
I have three questions:
Can my workflow in e.g. my_organization/student_2_project be to use a private action my_organization/my_private_action? It seems like yes thanks to actions/checkout#v2 (see here) but pretty sure that involves playing with keys or tokens or secrets - I'm not so at ease with that and currently get an error although it does exist:
Error: fatal: repository 'https://github.com/my_organization/my_private_action' not found
Can it prevent the student (owner/admin of my_organization/student_2_project) to see the code in my_organization/my_private_action?
With the same constraints, could the private action be hosted in another organization?
Thanks a lot for your help!
This is how I understand the restrictions:
Using an action from a private/internal repository currently isn't supported directly, see this issue on the roadmap. A possible workaround is adding a personal access token with access to the private repo that contains the action and then checking it out like this:
- name: Get private repo with action
uses: actions/checkout#v2
with:
repository: yourorg/privateactionrepo
ref: master
token: ${{ secrets.PAT_TOKEN }}
path: .github/actions
You can then use the action in another step like
uses: ./.github/actions/actionname
The PAT can be a secret on the org level so you don't have to add it to every single student repo.
Since the student's repo has access to the PAT, they can use it to create a workflow that checks out the private repo and does whatever they want with it – upload its contents, print every file etc.
As long as the PAT has the permissions to check out the repo containing the action, the action can live anywhere, including in another organization.
Alternatively, if you want to prevent your students from seeing your action, you could add a workflow to your students' repositories that sends a request to the GitHub API and then have a trigger in your action on the repository_dispatch event.
I have an action job which upload the context to other website. The token was set and stored in the secret.MY_TOKEN.
But others who make the pull request also trigger this action job using the token I set.
How to limit the privilege of executing the jobs that only I can run this action job.
fyi my ci.yml as follow:
name: foobar
on: [push, pull_request]
jobs:
upload:
runs-on: ubuntu-latest
steps:
....
- name: execute upload
env:
TOKEN: ${{ secrets.MYTOKEN }}
run:
upl --token ${TOKEN}
I assume there are two security problems here.
The token is printed in log file.
others who can use this private token by trigger action with their own purpose.
Use the github.repository_owner context
https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context
The syntax should be something like:
- if: github.repository_owner == 'owner_name'
There is a new feature which could help, since July 2022:
Differentiating triggering actor from executing actor
Starting next week, workflow re-runs in GitHub Actions will use the initial run’s actor for privilege evaluation.
The actor who triggered the re-run will continue to be displayed in the UI, and can be accessed in a workflow via the triggering_actor field in the GitHub context.
Currently, the privileges (e.g. – secrets, permissions) of a run are derived from the triggering actor.
This poses a challenge in situations where the actor triggering a re-run is different than the original executing actor.
The upcoming change will differentiate the initial executing actor from the triggering actor, enabling the stable execution of re-runs.
For more details see Re-running workflows and jobs.
I don't believe allowing actions to run only for certain users is a native feature.
However, you could simply check the action context actor and exit early if the actor is not the yourself (or the owner of the repo, or whatever condition you'd like).
I have Mesosphere DC/OS installed on Azure cluster, running tomcat apps as services, those services are configured using JSON files holding the ports and passwords of the apps. My Manager wants to use Azure Key Vault to store the passwords and secrets of the apps, i created the vault and stored in it the secrets i need.
This is a part of my JSON values which i need to replace:
(i cut only the fields with the values i want to replace from the Vault)
"APP_ACCESS_SERVICE_PASSWORD": "AppPW",
"CASSANDRA_DB_PASSWORD": "App_uat_PW",
"UAMS_ORACLE_PASSWORD": "App_uat_PW",
"PUBLISH_DB_PASSWORD": "ogw",
"App-PUBLISH_DB_PASSWORD": "App_uat1",
"EMP_DB_PASSWORD": "App_uat1",
How can i replace the passwords in my JSON with the values in the key vault ? i mean putting a URL to the password instead of the password is not an option, any Idea how can i input the values in the key vault into the JSON instead of the static values ?
From Azure documentation i see that i can access the values using URL, for example:
https://Contoso-Vault2.vault.azure.net/secrets/ExamplePassword
but using URL instead of the value is not an option. (it won't work)
I assume you have a pipeline but here's how you could do it.
First create your secrets in your desired key vault. I have created an app using Python and the Azure sdk which lets you create multiple secrets in a key vault very easily - https://github.com/TechyTish/AzurePy/blob/main/create-azure-secrets-README.md
lets say your secrets are stored as (secretName: secretValue):
appAccessService: 1234
cassandraDB: hello567
...
etc
#filename: example.json
"APP_ACCESS_SERVICE_PASSWORD": "{#appAccessServicePW#}",
"CASSANDRA_DB_PASSWORD": "{#cassandraDB#}",
"UAMS_ORACLE_PASSWORD": "{#uamsOraclePW#}",
"PUBLISH_DB_PASSWORD": "{#publishDBPW#}",
"App-PUBLISH_DB_PASSWORD": "{#appPublishPW#}",
"EMP_DB_PASSWORD": "{#empDBPW#}",
Create a YAML pipeline which will have 2 tasks:
Extract keyvault secrets
Replace the .json key values with the secrets
#filename: azure-pipeline.yml
# Azure Key Vault
# Download Azure Key Vault secrets
- task: AzureKeyVault#2
inputs:
connectedServiceName: # Azure subscription - you will need to create an service connection in the repo which has access policies to the keyvault
keyVaultName: # Name of existing key vault
secretsFilter: '*' # Downloads all secrets for the key vault
runAsPreJob: true # Runs before the job starts
Underneath the previous task add another one.
This looks for any key value with the {# pre-fix and #} suffix in the .json file and the variables (below) after this task will replace the value in the .json file with the value of the secrets you assigned it.
#filename: azure-pipeline.yml
- task: qetza.replacetokens.replacetokens-task.replacetokens#3
inputs:
targetFiles: "$(Pipeline.Workspace)/codepath/jsonFileName.json"
encoding: "auto"
writeBOM: true
verbosity: "detailed"
actionOnMissing: "warn"
keepToken: false
tokenPrefix: "{#"
tokenSuffix: "#}"
displayName: Perform variable substitution in json file
- script: echo "$(<folderName/example.json)" #open json file in the terminal to show the changes
#.json value: point to secret name
variables:
appAccessServicePW: $(appAccessService)
cassandraDB: $(cassandraDB)
#....
#etc
Run the pipeline (tick the box for debugging) and your output of .json file should be:
#filename: appsettings.json
"APP_ACCESS_SERVICE_PASSWORD": "1234",
"CASSANDRA_DB_PASSWORD": "hello567"
#....
#etc
This way the only time your secrets are revealed is when the pipeline is run on whichever host agent (virtual machine) you use.
I am building my Jekyll site with Algolia search.
The documentation about jekyll-algolia says the admin key must be provided in the environment variable ALGOLIA_API_KEY.
However, another page about API key security says
Your admin API key is the most sensitive key: it provides full control of all your indices and data. The admin API key should always be kept secure. Do NOT release it to anybody or do NOT use it in any application, and always create a new key that will be more restrictive. This API key should almost exclusively be used to generate other - more limited - API Keys that will then be used to search and perform indexing operations.
Reading the second page, I'm trying to create a more restrictive key for use with jekyll-algolia in CI builds of my Jekyll website:
However I still get complaints from bundle exec jekyll algolia:
ibug#ubuntu:~/iBug.github.io$ ALGOLIA_API_KEY="0123456789abcdef0123456789abcdef" bundle exec jekyll algolia
Configuration file: /home/wsl/iBug.github.io/_config.yml
Processing site...
AutoPages: Disabled/Not configured in site.config.
Pagination: Complete, processed 1 pagination page(s)
Jekyll Feed: Generating feed for posts
GitHub Metadata: No GitHub API authentication could be found. Some fields may be missing or have incorrect data.
Extracting records...
Updating records in index iBug_website...
Records to delete: 428
Records to add: 420
[✗ Error] Invalid credentials
The jekyll-algolia plugin could not connect to your application ID using the
API key your provided.
Make sure your API key has access to your 14DZKASAEJ application.
You can find your API key in your Algolia dashboard here:
https://www.algolia.com/licensing
ibug#ubuntu:~/iBug.github.io$ echo $?
1
How should I do that? Or must I provide the admin key in CI environments?
Minimum API key ACLs required to allow indexing with jekyll-algolia are deleteIndex, addObject, deleteObject and 'editSettings`.
If one of those ACLs is not set you get an error like this :
[jekyll-algolia] Error:
403: Cannot PUT to
https://APP_ID.algolia.net/1/indexes/your_folder/settings:
{"message":"Method not allowed with this API key","status":403} (403)
In your case, the error message indicates that your application ID is not connected with the API_KEY you provide.
Check your application ID in your Algolia dashboard, and verify that you have a correct algolia.application_id entry in your _config.yml.
If you provide the right application_id and one of her API key, it must work, otherwise it's an Algolia problem.