secrets with random: '***' is not a valid secret name

[hfhbd]

TL;DR

--update-secrets ^05^keyID=***:latest05privateKey=***:latest => '***' is not a valid secret name.

Expected behavior

No response

Observed behavior

No response

Action YAML

name: CD

on:
  release:
    types: [ created ]
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch:

env:
  service_name: todo

concurrency:
  group: "cd"
  cancel-in-progress: false

jobs:
  googleRun:
    runs-on: ubuntu-latest
    permissions:
      id-token: write

    steps:
      - name: Get latest release
        id: setup-version
        uses: hfhbd/actions/setup-version@main
        with:
          token: ${{ github.token }}
      - uses: actions/checkout@v4
        with:
          ref: ${{ steps.setup-version.outputs.full-tag }}
      - id: auth
        uses: google-github-actions/auth@v2
        with:
          project_id: ${{ secrets.PROJECT_ID }}
          workload_identity_provider: projects/963273362268/locations/global/workloadIdentityPools/github-deployment/providers/github
          service_account: github-todo@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: ${{ env.service_name }}
          region: europe-west4
          image: europe-west4-docker.pkg.dev/${{ secrets.PROJECT_ID }}/composetodo-repo/${{ env.service_name }}:${{ steps.setup-version.outputs.version }}
          secrets: |
            keyID=${{ secrets.CK_KEYID }}:latest
            privateKey=${{ secrets.CK_KEY }}:latest

Log output

Run google-github-actions/deploy-cloudrun@v2
  with:
    service: todo
    region: europe-west4
    image: europe-west4-docker.pkg.dev/***/composetodo-repo/todo:0.0.41
    secrets: keyID=***:latest
  privateKey=***:latest
  
    skip_default_labels: false
    no_traffic: false
  env:
    service_name: todo
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ComposeTodo/ComposeTodo/gha-creds-33a45cdbcb2f435a.json
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ComposeTodo/ComposeTodo/gha-creds-33a45cdbcb2f435a.json
    GOOGLE_GHA_CREDS_PATH: /home/runner/work/ComposeTodo/ComposeTodo/gha-creds-33a45cdbcb2f435a.json
    CLOUDSDK_CORE_PROJECT: ***
    CLOUDSDK_PROJECT: ***
    GCLOUD_PROJECT: ***
    GCP_PROJECT: ***
    GOOGLE_CLOUD_PROJECT: ***
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/71b323e8-d3b0-40cc-9a62-5ce9234b7dca -f /home/runner/work/_temp/66d8a662-6068-461a-b4ac-0056398a651a
Successfully authenticated
Running: gcloud run deploy todo --image europe-west4-docker.pkg.dev/***/composetodo-repo/todo:0.0.41 --update-secrets ^05^keyID=***:latest05privateKey=***:latest --update-labels ^02^managed-by=github-actions02commit-sha=a8952870ead390b1b39073af77ec71f8e977cd3e --format json --region europe-west4
Error: google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy todo --image europe-west4-docker.pkg.dev/***/composetodo-repo/todo:0.0.41 --update-secrets ^05^keyID=***:latest05privateKey=***:latest --update-labels ^02^managed-by=github-actions02commit-sha=a8952870ead390b1b39073af77ec71f8e977cd3e --format json --region europe-west4`: ERROR: (gcloud.run.deploy) '***' is not a valid secret name.

Additional information

No response

[sethvargo]

What is the value of ${{ secrets.CK_KEY }}? It's usually better to store the references as variables instead of secrets, so they show in the log output.

[hfhbd]

What is the value of ${{ secrets.CK_KEY }}?

It is a base64 encoded X509 private key,

[sethvargo]

That's not how the secrets integration works. Secrets are stored in Google Secret Manager and then referenced by id (e.g. projects/my-project/secrets/my-secret).

[hfhbd]

Well, it did work in the past and you mention it in the guide too:

Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest.

BTW is there any action to write/update secrets from GitHub actions to keep the secrets in GitHub secrets store and not duplicate them in GCP too? There is https://github.com/google-github-actions/get-secretmanager-secrets to get a secret.

[sethvargo]

Sorry @hfhbd - we're talking about different things:

1. To use the native Cloud Run secrets integration, the secrets must be stored in Google Secret Manager; you cannot pass a raw secret material. When launching the Cloud Run service, you specify the identifier of a secret in Secret Manager (e.g. projects/my-project/secrets/my-secret). You can omit the project if the secret is in the same project as the Cloud Run service. It has never been possible to pass the raw contents of a secret.

2. GitHub secrets are not at all related to Secret Manager secrets. You should not have secrets in two places, because that creates secret sprawl. As far as I know, there's nothing to synchronize secrets between GitHub and Secret Manager, because that is not a good security practice and violates the principle of least privilege.

Is there a reason that these secrets need to be stored in GitHub at all?