short plank
Hi together,
this line of code:
const credsFile = containerWithCredsFile.file("/tmp/aws_creds.json")
Will always print the following:
File.contents: String!
29 : β [0.0s] | {"Version":1,"AccessKeyId":"
It always prints the whole content of the aws config file.
How Can i make sure that this is not printed? Tried already some stuff.
Thank you in advance
livid pelican
π Hi @short plank, I'm not sure how you are passing the file to the module, but you can pass files as secrets to avoid this exact scenario: https://docs.dagger.io/api/arguments/#host-secret-providers
In this case you would call the function with the secret using this syntax:
dagger call func-name --credentials=file:///tmp/aws_creds.json
i declared a function that authenticates against aws and pass the container to a different function to reuse the authentication
i run the dagger function by calling
dagger run npx tsx main.ts
is there any other way?
livid pelican
Ah ok, so you are not using Dagger as a Typescript module like the documentation shows the setup here? https://docs.dagger.io/api/custom-functions?sdk=typescript
It sounds like you are using Dagger through what we call custom applications: https://docs.dagger.io/api/sdk/#custom-applications
Can you share a snippet of main.ts?
Also, once you have those credentials, you can make them a secret string to pass to other functions as a secret with let accessKey = dag.setSecret("ACCESS_KEY", "value")
short plank
yeah sure, one sec.
import { connection } from "@dagger.io/dagger";
import { authenticateAWS, build } from "cicd";
await connection(() =>
authenticateAWS()
.then(build)
.then(() => {}),
);
return containerWithCredsFile
.withSecretVariable("AWS_ACCESS_KEY_ID", dag.setSecret("aws-access-key-id", JSON.parse(await credsFile.contents()).AccessKeyId))
.withSecretVariable("AWS_SECRET_ACCESS_KEY", dag.setSecret("aws-secret-access-key",JSON.parse(await credsFile.contents()).SecretAccessKey))
.withSecretVariable("AWS_SESSION_TOKEN", dag.setSecret("aws-session-token", JSON.parse(await credsFile.contents()).SessionToken))
.withEnvVariable("AWS_DEFAULT_REGION", region)
}
I already pass them as a secret, and that works.
livid pelican
Not related, but might be worth hoisting await credsFile.contents() to running only once and assigning it as a variable when using dag.setSecret.
With that code, you are still seeing the contents printed to the output? Is there a change the authenticateAWS function is printing the contents of that file?
Also, do you have your CLI hooked up to Dagger Cloud so I can view a trace for debugging?
short plank
it was the same with contents()...
the last try i had was with the await cheat inside of setSecret
fossil shoal
Hi together,
this line of code:
`const credsFile = containerWithCredsFile.fil...
Have you tried to make the credential a Dagger Secret type?
So a Container withSecretVariable() (string secret env var) or withMountedSecret() (file) or use a Secret param when building the Container?
void pike
Hi together,
this line of code:
`const credsFile = containerWithCredsFile.fil...
@short plank there's no current way to safely create a dagger.Secret from something that runs within dagger containers. How are you currently obtaining the aws_creds.json file? I think the best thing to do here is to find a way so you can generate / retrieve that file outside a Dagger container
I'd like to understand more what credentials you're currently supplying to Dagger and what command you're running in a container to obtain the aws_creds.json file π
short plank
.withExec([
"bash", "-c",
`
curl -fsSL https://rolesanywhere.amazonaws.com/releases/${awsHelperVersion}/X86_64/Linux/aws_signing_helper -o /usr/local/bin/aws_signing_helper
chmod +x /usr/local/bin/aws_signing_helper
echo -n "$CERTIFICATE" > iam.crt
echo "$PRIVATE_KEY" > private.key
aws_signing_helper credential-process \
--certificate iam.crt \
--private-key private.key \
--trust-anchor-arn "$TRUST_ANCHOR_ARN" \
--profile-arn "$PROFILE_ARN" \
--role-arn "$ROLE_ARN" > /tmp/aws_creds.json
rm -f iam.crt private.key
`
])
This is how I create the /tmp/aws_creds.json
For me it would be more than perfect, to give executions something like a silent: trueoption to make sure it is not writing anything in the console.
Or the .file() method
short plank
I mean i could create that file outside of the dagger function and use the azure pipeline script itself, but I want to make sure to create everything inside the dagger function because we want to get rid of 29084345 lines of azure pipeline code that no one can maintane
short plank
right now, im trying to encrypt the file before reading contents and decrypt it when writing into the secret...
void pike
right now, im trying to encrypt the file before reading contents and decrypt it ...
yes, that works. Just make sure to remove the source file after encripting within the same WithExec block so it's not stored in the Dagger cache
short plank
you mean this echo "$CREDS_JSON" | openssl enc -aes-256-cbc -K "$ENCRYPTION_KEY" -iv "$ENCRYPTION_IV" -a -out /tmp/aws_creds.enc
should be rm -f in a later step
so rm -f /tmp/aws_creds.enc
i kind a feel dirty now, but it worked.
The output looks like this now:
dagger run npx tsx main.ts
30 : β Container.file DONE [20.0s]
37 : β File.contents: String!
37 : β File.contents DONE [0.0s]
37 : β [0.0s] | Q+MokIIryFQSXsugAdYgW0kAvAg+ndUAipYGx8QEuelXCa2pE1nnNqDZqytt+adq
37 : β [0.0s] | oz0ndEIPrz7hKzOa0w5hTVHF+CV0XwMr9BCZR7sP3DfV07gq2nSWjp3MAGMG/7MM
37 : β [0.0s] | hmykT0jSe+7NVIMw1fgZ4qEi6/GUdoMFhXQRu2XXT7xJ1NcwL7VUZ8RYzqh12lnF
37 : β [0.0s] | y2pHGSfB94or39SE5DsKUWN9Bqi1+vrdDlwJ1+UDGmOhJ/uKib7L97P2p61i8G3t
37 : β [0.0s] | /JNmG2RLLUBlmyJf8eWwFzv5/QJirGiH+wsEiYV5NoTUGmjltEOtvlwaYqEhIeoV
removing the encrypted file should not be necessary
I was referring to the source file
where's $CREDS_JSON coming from?
@short plank having said that, this deserves an issue since it's a valid use-case
short plank
ill open one. thank you
CREDS_JSON=$(aws_signing_helper credential-process
--certificate iam.crt
--private-key private.key
--trust-anchor-arn "$TRUST_ANCHOR_ARN"
--profile-arn "$PROFILE_ARN"
--role-arn "$ROLE_ARN")
The creds json is created in the bash script
short plank
