Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Unable to mask docker password #464

Open
shp7724 opened this issue Jul 1, 2023 · 1 comment
Open

[Question] Unable to mask docker password #464

shp7724 opened this issue Jul 1, 2023 · 1 comment

Comments

@shp7724
Copy link

shp7724 commented Jul 1, 2023

I'm currently using the aws-actions/amazon-ecr-login GitHub action to login into ECR, and then using the appleboy/ssh-action@master to SSH into a remote machine and run Docker compose.

During the process, I need to pass Docker username and password as environment variables to the remote machine. This exposes these values in the GitHub Actions logs. Here is the relevant code snippet:

- name: Handle secrets
  env:
    DOCKER_USERNAME: ${{ steps.login-ecr.outputs.docker_username_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
    DOCKER_PASSWORD: ${{ steps.login-ecr.outputs.docker_password_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
  run: |
    echo "::add-mask::$DOCKER_PASSWORD"
    echo "::add-mask::$DOCKER_USERNAME"

- name: SSH into Remote Server and Run Docker Compose
  uses: appleboy/ssh-action@master
  env:
    DOCKER_USERNAME: ${{ steps.login-ecr.outputs.docker_username_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
    DOCKER_PASSWORD: ${{ steps.login-ecr.outputs.docker_password_145642568098_dkr_ecr_ap_northeast_2_amazonaws_com }}
  with:
    host: ${{ secrets.REMOTE_HOST }}
    port: ${{ secrets.REMOTE_PORT }}
    username: ${{ secrets.REMOTE_USERNAME }}
    key: ${{ secrets.REMOTE_SSH_KEY }}
    passphrase: ${{ secrets.REMOTE_SSH_PASSPHRASE }}
    envs: DOCKER_USERNAME,DOCKER_PASSWORD
    script: |
      echo "::add-mask::$DOCKER_PASSWORD"
      echo "::add-mask::$DOCKER_USERNAME"
      echo $DOCKER_PASSWORD | docker login -u $DOCKER_USERNAME --password-stdin ${{ steps.login-ecr.outputs.registry }}
      docker-compose -f ~/docker-compose.yaml pull

Given #372, it's clear that it is not possible to mask these values from the user-side. I tried to add echo "::add-mask::" to the secrets, but they are still visible when the env section is parsed.

How could this issue be solved? I need to avoid exposing the Docker username and password in the GitHub Actions logs while still being able to pass them as environment variables to the remote machine. Are there any alternative ways to handle this securely?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shp7724 @arjraman