我们正在使用Github Actions在AWS ELB中实现我们的CI/CD管道。我们的工作流程之一是使用命令"aws elasticbeanstalk request-environment-info"请求日志。和"法律弹性豆茎检索环境信息"。问题是当Github代理从AWS获取信息时,它隐藏了在AWS中获取日志的URL。
name: Request logs
env:
EB_PACKAGE_S3_BUCKET_NAME : "s3bucket"
EB_APPLICATION_NAME : "appname"
AWS_REGION_NAME : "us-east-2"
# Controls when the workflow will run
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
environment_name:
type: choice
description: Select the environment to get logs from
required: true
options:
- app-dev
- app-prod
info_type:
type: choice
description: 100 last lines (tail) or full log (bundle)
required: true
options:
- "tail"
- "bundle"
jobs:
RequestLogs:
runs-on: ubuntu-latest
steps:
- name: Configure my AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id : ${{ secrets.MY_AWS_ACCES_KEY }}
aws-secret-access-key: ${{ secrets.MY_AWS_SECRET_KEY }}
aws-region : ${{ env.AWS_REGION_NAME }}
- name: Request logs
run : |
aws elasticbeanstalk request-environment-info
--environment-name ${{ github.event.inputs.environment_name }}
--info-type ${{ github.event.inputs.info_type }}
- name: Sleep for 30 seconds
uses: jakejarvis/wait-action@master
with:
time: '30s'
- name: Retrieve logs
run : |
aws elasticbeanstalk retrieve-environment-info
--environment-name ${{ github.event.inputs.environment_name }}
--info-type ${{ github.event.inputs.info_type }}
预期响应:
"EnvironmentInfo": [
{
"InfoType": "tail",
"Ec2InstanceId": "intanceid",
"SampleTimestamp": "date and time",
"Message": "https://elasticbeanstalk-us-east-2-123456789.s3.us-east-2.amazonaws.com/resources/environments/logs/someHeaders"
}
真实反应:
"EnvironmentInfo": [
{
"InfoType": "tail",
"Ec2InstanceId": "intanceid",
"SampleTimestamp": "date and time",
"Message": "https://elasticbeanstalk-us-east-2-*******.s3.us-east-2.amazonaws.com/resources/environments/logs/someHeaders"
}
Github代理认为该数字(https://elasticbeanstalk-us-east-2-123456789))是秘密和隐藏它(https://elasticbeanstalk-us-east-2-*******),但我们没有这样的秘密在Github设置。我们如何看到完整的URL?
由于您的AWS帐户ID设置为Secret, GitHub将自动编辑该字符串的文本在任何地方,它在操作日志中找到。更多信息,以及一些绕过它的方法,可以在这里找到。
编辑:
动作aws-actions/configure-aws-credentials
默认掩码Account ID。您可以通过将参数mask-aws-account-id: false
传递给操作来取消掩码。这是schema相关部分的链接。
感谢@mpriscella
答案是:aws配置凭证自动隐藏您的帐户ID(可能还有其他)。
有一种方法可以显示它- add参数mask-aw -account-id: no(或作为mansioned @mpriscellafalse)而不是没有):
steps:
- name: Configure my AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id : ${{ secrets.MY_AWS_ACCES_KEY }}
aws-secret-access-key: ${{ secrets.MY_AWS_SECRET_KEY }}
aws-region : ${{ env.AWS_REGION_NAME }}
mask-aws-account-id : no