[英]Calling secrets with the same name but from different environments in GitHub
我正在建立一個需要不同訪問密鑰 ID 的管道,一個用於開發,一個用於生產,我試圖從秘密中調用它:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
但它似乎只使用一個環境中的密鑰,我可以進行哪些更改以在不同環境中使用不同的密鑰? 這就是我的環境變量現在的樣子。
這是我完整的 yml 文件:
name: 'Manual - Build & Deploy - Enterprise'
on:
push:
branches-ignore:
- '**'
workflow_dispatch:
inputs:
git-ref:
description: Git Ref (Optional)
default: develop
required: false
account:
description: slb-dev, slb-prod
default: slb-dev
required: true
environment:
description: development (main, int, qs), production (v1_demo, v1_rosecity, demo)
default: main
required: false
microservice:
description: chroma, liquid, tenant, dashboard, lims, lims-simulator, client, logging, metrc
default: chroma
required: false
builddir:
description: MicroChromatographyService/MicroChromatographyService, MicroLiquidHandlingService/MicroLiquidHandlingService, MicroTenantService/MicroTenantService, MicroDashboardService/MicroDashboardService, LIMSIntegrationService/LIMSIntegrationService, LIMSSimulatorService/LIMSSimulatorService, IntegrationHubClientService/IntegrationHubClientService, PerkinElmer.LoggingService/PerkinElmer.LoggingService, MetRCReportService/MetRCReportService
default: MicroChromatographyService/MicroChromatographyService
required: false
jobs:
setup:
name: Setup ENV Variables
runs-on: ubuntu-latest
environment:
name: dev
url: https://dev.test.com
steps:
- name: Set Vars
id: setvars
run: |
echo "::set-output name=APP_NAME::${{ github.event.inputs.microservice }}"
echo "::set-output name=AWS_REGION::us-east-1"
echo "::set-output name=SHA8::${{ github.sha }} | cut -c1-8)"
echo "::set-output name=BUILD_DIR::${{ github.event.inputs.builddir }}"
echo "::set-output name=ECR_REPOSITORY::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_CLUSTER::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}"
echo "::set-output name=ECS_SERVICE::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION_FILE::task-definition-${{ github.event.inputs.microservice }}.json"
echo "::set-output name=ECS_CONTAINER_NAME::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
outputs:
APP_NAME: ${{ steps.setvars.outputs.APP_NAME }}
AWS_REGION: ${{ steps.setvars.outputs.AWS_REGION }}
SHA8: ${{ steps.setvars.outputs.SHA8 }}
BUILD_DIR: ${{ steps.setvars.outputs.BUILD_DIR }}
ECR_REPOSITORY: ${{ steps.setvars.outputs.ECR_REPOSITORY }}
ECS_CLUSTER: ${{ steps.setvars.outputs.ECS_CLUSTER }}
ECS_SERVICE: ${{ steps.setvars.outputs.ECS_SERVICE }}
ECS_TASK_DEFINITION: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION }}
ECS_TASK_DEFINITION_FILE: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION_FILE }}
ECS_CONTAINER_NAME: ${{ steps.setvars.outputs.ECS_CONTAINER_NAME }}
DeployDev:
name: Deploy to Dev
needs: setup
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: dev
url: 'http://dev.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
DeployProd:
name: Deploy to Production
needs: [DeployDev]
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: Production
url: 'http://www.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
因此,這就是我專門針對生產和其他階段(也包括開發和其他功能請求)拆分我的操作的方式。 以下 GA 還演示了在為 OIDC 配置所有內容后,如何將 aws 操作與當前的 OIDC 功能一起使用。 (當然你對 GA 的邏輯會有所不同)
對於任何提交,關鍵是在除 main 之外的任何分支上的任何推送上都會觸發此操作。 .這里我正在配置本地 sls 並運行 ITG 測試,然后部署到開發階段
name: For All commits
on:
push:
branches-ignore: [main]
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
strategy:
matrix:
node-version: [16.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: ./backend-operations/package-lock.json
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-southeast-1
role-to-assume: ${{secrets.ROLE_ARN}}
- run: npm ci
working-directory: ./backend-operations
- name: Install Serverless Framework
run: npm install -g serverless
- name: Install dynamodb local using plugin
run: |
serverless plugin install --name serverless-dynamodb-local
sls dynamodb install
working-directory: ./backend-operations
- name: Serverless Authentication
run: sls config credentials --provider aws --key ${{ env.AWS_ACCESS_KEY_ID }} --secret ${{ env.AWS_SECRET_ACCESS_KEY }}
- run: npm run build --if-present
working-directory: ./backend-operations
- name: Start local sls env
run: npm run start-local-sls &
working-directory: ./backend-operations
- name: Run Integration Tests
run: |
sleep 30
npm run test-itg
working-directory: ./backend-operations
- name: Deploy to AWS
run: serverless deploy --stage dev --verbose
working-directory: './backend-operations'
對於生產,這里的關鍵是在您的情況下,此 GA 將僅在主分支上推送時觸發,您需要為主分支復制一個,為開發分支復制一個
name: Production-Deployment
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
strategy:
matrix:
node-version: [16.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: ./backend-operations/package-lock.json
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-southeast-1
role-to-assume: ${{secrets.ROLE_ARN}}
- run: npm ci
working-directory: ./backend-operations
- name: Install Serverless Framework
run: npm install -g serverless
- name: Serverless Authentication
run: sls config credentials --provider aws --key ${{ env.AWS_ACCESS_KEY_ID }} --secret ${{ env.AWS_SECRET_ACCESS_KEY }}
- name: Deploy to AWS
run: serverless deploy --stage prod --verbose
working-directory: './backend-operations'
Kube.netes secrets 和 AWS Secrets Manager - 將不同的 ARN 放入同一個文件中?
[英]Kubernetes secrets and AWS Secrets Manager - put different ARNs into the same file?
秘密不會從 github 動作秘密傳遞到 github 動作中的可重用工作流
[英]Secrets doesnt pass from github action secrets to reusable workflow in github actions
從 Lambda 函數調用 AWS 機密管理器時出現 CORS 問題
[英]CORS issues when calling AWS secrets manager from Lambda function
spring boot +從不同的AWS賬戶加載秘密管理器秘密
[英]spring boot + load secret manager secrets from different AWS account
在具有不同VPC的不同環境中使用相同AWS賬戶的缺點是什么?
[英]what's the drawback of using same AWS account in different environments with different VPC?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.