-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve secret mounting instructions #318
Comments
Hi @steveoh Thank you for opening an issue. I'm not sure I understand the Cloud Run syntax of The format for volume mounts is:
Where
The logic for computing this is here. |
Hey @sethvargo!
I'm referencing https://github.com/google-github-actions/deploy-cloudrun and I used a pipe instead of what you did with I found that using the project id was not applying the mount to the function. Only the project number added the mount. No errors were displayed but the mount was not on the function. I suppose that could be a gcloud/api issue more so than an actions issue but I think the syntax you used here would be an improvement to the current error message. |
Hi @steveoh That Cloud Run syntax only applies to the gcloud CLI. The actual Cloud Run API requires a full secret version reference in the format The Secret Manager API accepts both project IDs and project numbers interchangeably. The API will always return project numbers in responses (even when given project IDs), but it accepts both and the most recent tests for that use case are passing. This action's integration tests also have a test and that secret uses a project ID. It would be helpful if you could provide a minimal action.yml that demonstrates the failed mounting. |
Are you saying that for the api surface of the function and run deploy actions to be similar the gcloud api would need to be consistent and building that consistency would need to happen in this action and would create the harmful security risk? Longest run on sentence ever. Here's a sample yml file that will exercise all of the permutations that should work. It will require a name: secret mounting
on:
workflow_dispatch:
jobs:
deploy-dev:
name: Deploy to GCF
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: ⬇️ Check out code
uses: actions/checkout@v3
- name: 🗝️ Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
create_credentials_file: true
token_format: access_token
workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
- name: full project id with version
uses: google-github-actions/deploy-cloud-functions@v0
with:
name: id-with-version
runtime: python38
entry_point: main
source_dir: .
deploy_timeout: 600
secret_volumes: /secrets/secrets.json=projects/${{secrets.PROJECT_ID}}/secrets/secrets/versions/1
- name: full project id with implied latest
uses: google-github-actions/deploy-cloud-functions@v0
with:
name: id-with-implied-version
runtime: python38
entry_point: main
source_dir: .
deploy_timeout: 600
secret_volumes: /secrets/secrets.json=projects/${{secrets.PROJECT_ID}}/secrets/secrets
- name: full project number with version
uses: google-github-actions/deploy-cloud-functions@v0
with:
name: number-with-version
runtime: python38
entry_point: main
source_dir: .
deploy_timeout: 600
secret_volumes: /secrets/secrets.json=projects/${{secrets.PROJECT_NUMBER}}/secrets/secrets/versions/1
- name: full project number with implied latest
uses: google-github-actions/deploy-cloud-functions@v0
with:
name: number-with-implied-version
runtime: python38
entry_point: main
source_dir: .
deploy_timeout: 600
secret_volumes: /secrets/secrets.json=projects/${{secrets.PROJECT_NUMBER}}/secrets/secrets
- name: partial project id with implied latest
uses: google-github-actions/deploy-cloud-functions@v0
with:
name: partial-project-with-implied-version
runtime: python38
entry_point: main
source_dir: .
deploy_timeout: 600
secret_volumes: /secrets/secrets.json=${{secrets.PROJECT_ID}}/secrets/secrets
- name: partial project number with implied latest
uses: google-github-actions/deploy-cloud-functions@v0
with:
name: partial-number-with-implied-version
runtime: python38
entry_point: main
source_dir: .
deploy_timeout: 600
secret_volumes: /secrets/secrets.json=${{secrets.PROJECT_NUMBER}}/secrets/secrets
I'm running it now to see for myself. Updateso far every single one (3/6 deployed) are working as expected. Must have been a glitch in the matrix yesterday. |
I'm saying two things:
From your update, it seems like things might be working now? |
I'm focused on workflows and the deploy cloud run workflow does not require a full secret resource id. for instance, this is acceptable - name: 🚀 Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: api
image: gcr.io/${{ secrets.PROJECT_ID }}/api
region: us-central1
flags: |
--service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
secrets: |
/secrets/secrets.json=secrets:latest Does this pose a security risk? Did you already tell me it doesn't? Ha, where am I? Yes the secrets are mounting for the functions. I wonder if an IAM permission took longer to propagate. |
It poses a security risk if you're consuming an action like that, because the project ID would be interpreted as your project (instead of explicitly opting into that behavior).
IAM is eventually consistent, so that's possible. |
This is happening again now after adding a new secret. Is there some extraordinarily long delay between creating a new secret and being able to mount it to a function? |
I used the same test as before and newly created functions were mounted with both secrets while the existing function kept the original secret. Are we sure that all the secrets are removed for function deployments?
|
Hi @steveoh Without more information or a consistent reproduction case, it's difficult to diagnose. |
Can you publish a new function with a secret attached successfully? |
@steveoh yes - our integration tests specifically do this: deploy-cloud-functions/.github/workflows/integration.yml Lines 268 to 271 in 63c570d
|
@sethvargo is that an overwrite of an existing function or a new function? |
That's a new function each time. Is it only occurring on existing functions? |
@sethvargo Yes it is only occurring on existing functions.
You might add another test to cover this? |
I think I know what's going on then. I'll try to get a PR together tomorrow. |
TL;DR
Following the readme was not helpful when trying to mount a secret and I had to guess multiple iterations until getting it correct.
Expected behavior
I actually expected a similar behavior to cloud run where you would do
/mount/path=secretName:version|latest
Observed behavior
From the current docs...
I tried the full resource name
/my/mount=projects/my-projects-name/secrets/my-secret
The secret was not mounted. no error was displayed
From some old docs in #222
/my/mount=my-secret
This failed with the following and was expected since the current readme does not show these words any longer.
I used the project number instead of the project name
/my/mount=projects/1234/secrets/my-secret
This worked but looks different in the browser console from when I performed the same action manually in the console. It shows the link as
So, I would recommend updating
projects/p/secrets/s/versions/v
to something likeprojects/123/secrets/s/versions/1
to remove any confusion thatp
andv
are numbers and not text.Action YAML
Log output
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: