Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Dynamic Secret Issue #9

Open
LanceMcCarthy opened this issue Nov 28, 2023 · 2 comments
Open

Azure Dynamic Secret Issue #9

LanceMcCarthy opened this issue Nov 28, 2023 · 2 comments

Comments

@LanceMcCarthy
Copy link

LanceMcCarthy commented Nov 28, 2023
edited
Loading

Hi Team,

First, love the work on expanding the functionality and pushing this out to the marketplace. Unfortunately, I have discovered an issue with this that is also present in my action... I am unable to get the values of the AAD dynamic secret.

Let me set you up properly.

Understanding the Azure AD Akeyless Response

This is what you get when using the Akeyless CLI when fetching an Azure AD dynamic secret.

{
  "id": "{\"secret_name\":\"tmp.p-m9vvgiii6rip.kj36S\",\"secret_key_id\":\"0c46516c-076e-4e69-bcf3-7c2fcac265a7\"}",
  "msg": "User  has been added successfully to the following Group(s): [] Role(s): [] Expires on Thu Aug 10 14:38:59 UTC 2023",
  "secret": {
    "appId": "207ff3fc-f6e3-4467e-babf-66b62e047be7",
    "displayName": "tmp.p-m9vvgiii6rip.kj36S",
    "keyId": "0c46516c-3456-4e69-bcf3-7c2fcac265a7",
    "secretText": "xrk8Q~qvnUbBHfXlCmaTdIakNyLc8xC.50gBqa0K",
    "tenantId": "bd47e796-1234-4b8a-9101-1f4c0c7af31a"
  },
  "ttl_in_minutes": "60"
}

Notice how the important values we need to use are inside the secret value:

image

Problem

In my Action, this never gets properly parsed by the SDK, and it also seems you might be experiencing the same problem. Here is what happens when I run this action and try to get the value for secret

image

Repro 1 - Using key: "secret" For Precision

You can reproduce this with the following YAML. Notice I am using key=secret to be able to ignore the rest of the top-level values.:

      - name: Fetch AKeyless Secret
        id: akeyless
        uses: akeyless-community/[email protected]
        with:
          access-id: 'p-XXXXXXXX'
          dynamic-secrets: |
            - name: "/path/to/my/azure-ad-dynamic-secret/"
              output-name: "aad"
              key: "secret"
          access-type: jwt

      - name: Verify Outputs
        run: |
          echo "appId: ${{ steps.akeyless.outputs.appId }}"
          echo "secretText: ${{ steps.akeyless.outputs.secretText }}"
          echo "tenantId: ${{ steps.akeyless.outputs.tenantId }}"
          echo "displayName: ${{ steps.akeyless.outputs.displayName }}"
          echo "keyId: ${{ steps.akeyless.outputs.keyId }}"

Repro 2 - Reading Entire Response

If you want to avoid the error, you can run it like this (with out declaring key: "secret"):

      - name: Fetch AKeyless Secret
        id: akeyless
        uses: akeyless-community/[email protected]
        with:
          access-id: 'p-XXXXXXXX'
          dynamic-secrets: |
            - name: "/path/to/my/azure-ad-dynamic-secret/"
              output-name: "aad"
          access-type: jwt

      - name: Verify Outputs
        run: |
          echo $aadSecret = '${{ steps.akeyless.outputs.aad }}' | jq '.secret'

          echo '$aadSecret' | jq '.appId'
          echo '$aadSecret' | jq '.secretText'
          echo '$aadSecret' | jq '.tenantId'
          echo '$aadSecret' | jq '.displayName'
          echo '$aadSecret' | jq '.keyId'

This will output the rest of the dynamic secret's values.. but not secret.appId, secret.tenantId, etc. In fact, it still breaks when trying to read the value of secret:

image

Resolution

Either of these two outcomes would be considered a resolution.

  • An example that doesn't set the key, but is able to iterate over the sub-keys of secret
  • An update to the action that lets me set key: "secret" and then be able access the values of appId, tenantId and secretText
@LanceMcCarthy
Copy link
Author

LanceMcCarthy commented Dec 5, 2023
edited
Loading

After further investigation, I think I've found the reason why this is failing. The JSON data is using stringifies result in some key values but not with the secret's key's values. This is cuasing JSON parsers to fail.

Here is the output from the Action:

image

Since "[object, object]" cannot be deserialized because it is a string, not an object, thus there isn't a way to get the original values out of it.

@LanceMcCarthy
Copy link
Author

LanceMcCarthy commented Dec 7, 2023
edited
Loading

Workaround

If anyone else is reading this and having the same issue, I was able to write up a workaround by using the Akeyless REST API (instead of relying on the JavaScript SDK this action uses).

Get it here https://github.com/marketplace/actions/akeyless-aad-dynamic-secret

It's very easy to use:

  - id: aad-secret
    uses: LanceMcCarthy/akeyless-aad-secret@v1
    with:
      akeyless-secret-path: '/path-to/aad-dynamic-secret'
      akeyless-access-id: 'p-123456'
      akeyless-access-key: '${{ secrets.AKEYLESS_ACCESS_KEY }}'

Here's the wonderful output!

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LanceMcCarthy