Passing ECR credentials to another job doesn't work

[1david5]

Describe the bug
Using this action to output your Docker credentials for logging into ECR Private and then pass them to another job to run your private image as a service or container, doesn't work. (This use case is described on the action documentation on the Run an image as a service section)

The credentials never make it to the second job because Actions skips them throwing the warnings below resulting in empty repo, username, and password on the second job:
Skip output 'registry' since it may contain secret.
Skip output 'docker_username' since it may contain secret.
Skip output 'docker_password' since it may contain secret.

To Reproduce
Steps to reproduce the behavior:

1. Configure two jobs as described on Run an image as a service.
2. Run the action

Expected behavior
Being able to output ECR credentials and run a job on a container pulled from a private ECR.

Screenshots

Desktop (please complete the following information):

• OS: ubuntu-latest

[arjraman]

Could I see you workflow yml with all sensitive info redacted?

[1david5]

name: "Linter & Test"

on:
  workflow_dispatch:

  pull_request:
    branches:
      - master
      - development
    types:
      - opened
      - edited
      - reopened
      - synchronize

jobs:
  login-to-amazon-ecr:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    env:
      ENVIRONMENT: 'dev'
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        env:
          IAM_ROLE_ARN: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ env.ENVIRONMENT }}/${{ vars.NAMESPACE }}/${{ vars.SERVICE }}/${{ env.ENVIRONMENT }}-${{ vars.NAMESPACE }}-${{ vars.SERVICE }}-gh-action-role
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ env.IAM_ROLE_ARN }}
          mask-aws-account-id: 'false'

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          mask-password: 'false'

      - name: print
        run: |
          echo "registry: ${{ steps.login-ecr.outputs.registry }}"
          echo "docker_username: ${{ format('steps.login-ecr.outputs.docker_username_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}"
          echo "docker_password: ${{ format('steps.login-ecr.outputs.docker_password_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}"

    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}
      docker_username: ${{ format('steps.login-ecr.outputs.docker_username_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}
      docker_password: ${{ format('steps.login-ecr.outputs.docker_password_{0}_dkr_ecr_{1}_amazonaws_com', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION) }}

  lint:
    name: Lint
    needs: login-to-amazon-ecr
    runs-on: ubuntu-latest
    container:
      image: "${{ needs.login-to-amazon-ecr.outputs.registry }}/image_name:development"
      credentials:
        username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
        password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Ruby and gems
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2.2
          bundler-cache: true
      - name: Lint Ruby files
        run: bundle exec rubocop --parallel

[arjraman]

Ah I see. The way GitHub actions marks secrets in logs is by checking every substring in the logs to see if they match any of the secret values. In your case, this is secrets.AWS_ACCOUNT_ID. Since the output value of registry will match secrets.AWS_ACCOUNT_ID, and the output names provided to docker_username and docker_password contain a substring that matches secrets.AWS_ACCOUNT_ID, all those outputs will be redacted. It's the reason why the example has mask-aws-account-id: 'false' set for the aws-actions/configure-aws-credentials@v4 action.

Does your print step print anything?

[1david5]

Ah, thank you for the insight on this @arjraman.

It prints the registry with the account ID and region redacted.

Do you know if there is any way to work around this without hard-coding the AWS account ID on the workflow?

[arjraman]

Not sure, I haven't tried to do so. I gave a possible solution in #464. Other related discussions can be found in #495 and #496.

Here's a doc from GitHub talking about it: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-masking-and-passing-a-secret-between-jobs-or-workflows. But it doesn't give any concrete way of doing so.

[kevcube]

@1david5 can you define AWS Account ID in actions 'environment variables' (next to secrets in actions configuration) because AWS Account IDs aren't considered secret?

[stepanovdg]

@1david5 Check your variable secrets.AWS_REGION if its in format (us-east-1) or in expected format (us_east_1) For example.