Handling dynamic key names

[modev]

I frequently use dynamically changing key names, for example from configuration files, to get secrets from KeyVault. While resolving the key itself works totally fine, the problem lies in the output and how the value is accessible.

The output key for the value equals the the input key. This is not a problem if you know the key name before by statically assigning it, but it causes a problem when using a dynamic value as a key since there is no way (I am aware of), to reference such a value directly.

See this minimal example

name: Build

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - id: prepare
      uses: custom/action-that-reads-configuration-and-outputs # reads configuration based on the deployment target
    - name: Get keyvault secrets
      uses: azure/get-keyvault-secrets
      with: 
        name: ${{ steps.prepare.outputs.keyvault_name }}
        secret: static-key, ${{ steps.prepare.outputs.env_username }} 

In the example shown above, the name of the environment variable or the step output is now based on the value of the evaluated ${{ steps.prepare.outputs.env_username }} expression, in order to access the value you'd need a nested syntax which is not possible as far as I understood.

Working around that is relatively easy using the az CLI and saving the output to a file or statically assigned variable name, but it hurts the readability and maintainability of the pipeline using an otherwise perfectly working action. I'm not sure if its common to encounter that issue, but I think it would be great to accommodate such use cases.

The best way I found to implement that in a non breaking way would be to let the user optionally pass a variable name for a given value that is used to override the automatically generated one, for example by separating the value by a char like :.

    - id: prepare
      uses: custom/action-that-reads-configuration-and-outputs # reads configuration based on the deployment target
    - name: Get keyvault secrets
      uses: azure/get-keyvault-secrets
      with: 
        name: ${{ steps.prepare.outputs.keyvault_name }}
        secret: static-key, ${{ steps.prepare.outputs.env_username }} :override_variable_name:

Am I missing something with my approach or is this actually not possible with the current implementation?

[joseph-flinn]

This would also be helpful in (or enable) cases getting different secrets in a matrix job

[joseph-flinn]

I made a quick change locally that has been tested and solves this issue

Change overview:

Gist changes (for copy+paste): https://gist.github.com/joseph-flinn/c940392463964b6139df4325b471c8ad

Unfortunately, I don't have the bandwidth to follow through and really dig into how this action is setup with support for the AzureStack to put in a PR. During my testing, master was breaking and I couldn't test my changes directly against master and I couldn't find documentation on how to run this Action local to a runner (if there are steps needed to compile or something). I personally made changes to a branch taken off of the current stable v1.1.

[deep-mm]

I was able to get dynamic name secrets by this:

One thing that concerns me is, how do I access it in the output
${{ steps.GitHubPAT.outputs.$secretName }}

How do I have the $secretName as dynamic?

[github-actions]

This issue is idle because it has been open for 14 days with no activity.

[KKghub]

Another workaround is that we can use square brackets to access the dynamic secrets
Assuming x holds the secret key name ex. store-id then we can use ${{ env.x }} in the get-keyvault-secrets action and we can access the value by ${{ steps.azure-secrets.outputs[env.x] }}

https://stackoverflow.com/questions/69299781/using-a-variable-inside-context-expression-in-github-actions

Hope this helps someone!

[github-actions]

This issue is idle because it has been open for 14 days with no activity.