How to fetch AWS secret from secret manager and use the value from key/value pair in subsequent step of GitHub Action

Question

I have the secrets in my AWS secret manager, which I am fetching in my GitHub Action workflow through aws-cli. This returns me with the key/value pair in GITHUB_ENV/GITHUB_OUTPUT from which I retrieve only value through jq.

I want to use the retrieved secret value in subsequent step to update the value of a file. However, when I use it in next step, the value is visible in GitHub logs. I am using add::mask to hide the secret, but the code looks boilerplate and I am not sure if it is safe practice. I want to learn if there is any good approach towards it?

I have tried following and this helps me with the solution. I am able to hide the retrieved secret and replace the value of a xml entry with the value without making it visible in github logs, but the script looks bolilerplate, I want to know if there is any other good approach.

      - name: Get Secrets from AWS Secrets Manager
        id: get_secrets
        run: |
          mgr_pwd=$(aws secretsmanager get-secret-value --secret-id secretId --query SecretString --output text | jq .password | tr -d '"')
          echo "::add-mask::${mgr_pwd}"
          echo mgr_pwd="$mgr_pwd" >> $GITHUB_OUTPUT

      - name: Update secrets in config.properties
        run: |
          xmlstarlet ed --inplace -u '/properties/entry[@key="password"]' -v ${{ steps.get_secrets.outputs.mgr_pwd }} ../config/config-properties.xml 
 

Answer 1

I think using "::add-mask::" is fine, in my humble opinion. But if you were looking for something more readable, you could use this this aws-action:

  - name: Get some secret from AWS Secrets Manager
    id: get-aws-secret
    uses: aws-actions/aws-secretsmanager-get-secrets@v1
    with:
      secret-ids: |
        MY_ENV_VAR, my/secret/name

The above creates a new ENV variable named MY_ENV_VAR, which can be used in later steps. And then retrieve the values this way (this is a bad example because your secret will never show up in the logs, but you will see *** if it was able to find it):

  - name: Debug show secret value
    run: |
      echo ${{ env.MY_ENV_VAR }}

or this way (the 'secretsValue' string below is a magic/convention string; for the outputs of that aws-action). Again, the secret will show up with *** in the logs (to avoid leaking the secret, but trust that the secret is there for using if you see *** in your logs):

- name: Deploy to Production
  env:
    MY_SECRET: ${{ steps.get-aws-secret.outputs.secretValue }}
  run: |
    # Use the secret
    echo "Secret value: $MY_SECRET"

Read up on the above action and you'll see that you can wildcard secrets, so that you can ingest many secrets at once.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_github.html

https://github.com/aws-actions/aws-secretsmanager-get-secrets

Another side note for people who might end up here: make sure you store the correct password in AWS Secrets Manager; I've made that mistake many times where it was able to retrieve the secret just fine, but it would fail because we had the wrong password in AWS secrets manager... Sometimes extra sets of double quotes can also throw you off, if you use the 'aws secretsmanager get-secret-value' cli command (and not the aws-action described in this answer), make sure that you do '--output text' to remove the double quotes (just like DumbCoder correctly does :) ).