Hi there,
I’ve been trying to use the AWS credentials module with vault-action module in Github, when the self-hosted runner is triggered, the ephemeral IAM user is created successfully as expected but it does not seem to return the credentials to the rest of my workflow.
here is how I have the runner configured:
build:
runs-on: self-hosted
steps:
- name: Import Secrets
id: import-secrets
uses: hashicorp/vault-action@v3.1.0
with:
url: https://127.0.0.1:8200
tlsSkipVerify: false
# token: ${{ secrets.VAULT_TOKEN }}
token: ${{ secrets.MYGITHUB_TOKEN }}
caCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t....
exportEnv: true
secrets: |
/aws/creds/my-role * | dyn_ ;
for the “secrets” section, I’ve tried:
secrets: |
/aws/creds/my-role access_key;
/aws/creds/my-role secret_key
secrets: |
/aws/creds/my-role access_key | AWS_ACCESS_KEY;
/aws/creds/my-role secret_key | AWS_SECRET_ACCESS_KEY
secrets: |
/aws/creds/my_role * | AWS_
but the none of the following jobs/steps seem to be able to consume the credentials. I understand they’re secrets and would be masked from any output but:
- I’ve sent the whole environment to syslog.
- ran a self-hosted scripts that would consuming the info.
- used the aws set credentials action.
but always get an empty/undefined variable.
I’ve called the variables with:
variable = ${{ steps.import-secrets.outputs.<VAR_NAME> }}
variable = '${{ toJson(steps.import-secrets.outputs) }}'
variable = ${{ steps.build.outputs.<VAR_NAME> }}
variable = ${{ needs.build.outputs.<VAR_NAME> }}
and many other combinations.
I’ve replaced the name of the variables, used single, double quotes, no quotes etc…
I would appreciate some guidance on how to consume the secrets.