1

I'm currently trying to set some GitHub Actions Secret, which are my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY,

But I'm unable to get access to my AWS_SECRET_ACCESS_KEY by using the AccessKey.encryptedSecret method, even though I'm able to access AWS_ACCESS_KEY_ID or Region, or whatever other values.

This is my code:

const makeSecret = (secretName: string, value: pulumi.Input<string>) => (
    new github.ActionsSecret(
        secretName, 
        {
                    repository: githubRepoName,
                    secretName,
                    plaintextValue: value,
        }
    )
)

if (!iamUserConfig) {
    const accessKey = new aws.iam.AccessKey("cra-ts-access-policy", {
        user: iamUser.name
    });

    pulumi.all([accessKey.id, accessKey.encryptedSecret]).apply(([
        AWS_ACCESS_KEY_ID,
        AWS_SECRET_ACCESS_KEY
    ]) => {
        makeSecret('AWS_SECRET_ACCESS_KEY', AWS_SECRET_ACCESS_KEY);
        makeSecret('AWS_ACCESS_KEY_ID', AWS_ACCESS_KEY_ID);
    });
}

I have tried different approaches in code, still same result. I would run pulumi up command without any issues, but when running my github workflow on push to master I get the following error

'aws-secret-access-key' must be provided if 'aws-access-key-id' is provided

This is my .github/workflow/main.yml file

name: cra-ts
on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
  
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '14'
      - name: Install
        run: npm install
      - name: Build
        run: npm build
          
      - name: Configure AWS Creds
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      - env:
          BUCKET_NAME: ${{ secrets.BUCKET_NAME }}
        run: aws s3 sync build/ s3://$BUCKET_NAME --delete

And this is my package.json:

    "devDependencies": {
        "@types/node": "^14"
    },
    "dependencies": {
        "@pulumi/pulumi": "^3.22.1",
        "@pulumi/aws": "^4.34.0",
        "@pulumi/awsx": "^0.32.0",
        "@pulumi/github": "^4.9.1"
    }

I have been stuck on this for days, if you need more details let me know so I can provide them. Appreciate the help. Thanks

Andres Urdaneta
  • 431
  • 4
  • 15
  • I'm having the same problem. Did you have any luck with this? – Dimas Cyriaco Jul 31 '22 at 19:48
  • @DimasCyriaco my solution ended up looking like this: ``` const accessKey = new aws.iam.AccessKey("cra-ts-access-key", { user: iamUser.name, }); pulumi.all([accessKey.id, accessKey.secret]).apply(([ AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY ]) => { makeSecret('AWS_SECRET_ACCESS_KEY', AWS_SECRET_ACCESS_KEY); makeSecret('AWS_ACCESS_KEY_ID', AWS_ACCESS_KEY_ID); }); ``` As you can see I used: `accessKey.secret` instead of `accessKey.encryptedSecret` – Andres Urdaneta Aug 11 '22 at 18:01

0 Answers0