在 GitHub 中调用同名但来自不同环境的秘密答案

【问题标题】：Calling secrets with the same name but from different environments in GitHub在 GitHub 中调用同名但来自不同环境的秘密
【发布时间】：2022-01-24 00:27:41
【问题描述】：

我正在建立一个需要不同访问密钥 ID 的管道，一个用于开发，一个用于生产，我试图从秘密中调用它：

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: ${{ needs.setup.outputs.AWS_REGION }}

但似乎只能使用一个环境中的密钥，我可以进行哪些更改以在不同环境中使用不同的密钥？这就是我的环境变量现在的样子。

这是我完整的 yml 文件：

name: 'Manual - Build & Deploy - Enterprise'

on:
  push:
    branches-ignore:
      - '**'

  workflow_dispatch:
    inputs:
      git-ref:
        description: Git Ref (Optional)
        default: develop
        required: false

      account:
        description: slb-dev, slb-prod
        default: slb-dev
        required: true

      environment:
        description: development (main, int, qs), production (v1_demo, v1_rosecity, demo)
        default: main
        required: false

      microservice:
        description: chroma, liquid, tenant, dashboard, lims, lims-simulator, client, logging, metrc
        default: chroma
        required: false

      builddir:
        description: MicroChromatographyService/MicroChromatographyService, MicroLiquidHandlingService/MicroLiquidHandlingService, MicroTenantService/MicroTenantService, MicroDashboardService/MicroDashboardService, LIMSIntegrationService/LIMSIntegrationService, LIMSSimulatorService/LIMSSimulatorService, IntegrationHubClientService/IntegrationHubClientService, PerkinElmer.LoggingService/PerkinElmer.LoggingService, MetRCReportService/MetRCReportService
        default: MicroChromatographyService/MicroChromatographyService
        required: false

jobs:
  setup:
    name: Setup ENV Variables
    runs-on: ubuntu-latest
    environment:
     name: dev
     url: https://dev.test.com
    steps:

    - name: Set Vars
      id: setvars
      run: |
          echo "::set-output name=APP_NAME::${{ github.event.inputs.microservice }}"
          echo "::set-output name=AWS_REGION::us-east-1"
          echo "::set-output name=SHA8::${{ github.sha }} | cut -c1-8)"
          echo "::set-output name=BUILD_DIR::${{ github.event.inputs.builddir }}"
          echo "::set-output name=ECR_REPOSITORY::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
          echo "::set-output name=ECS_CLUSTER::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}"
          echo "::set-output name=ECS_SERVICE::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
          echo "::set-output name=ECS_TASK_DEFINITION::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
          echo "::set-output name=ECS_TASK_DEFINITION_FILE::task-definition-${{ github.event.inputs.microservice }}.json"
          echo "::set-output name=ECS_CONTAINER_NAME::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"

    outputs:
      APP_NAME: ${{ steps.setvars.outputs.APP_NAME }}
      AWS_REGION: ${{ steps.setvars.outputs.AWS_REGION }}
      SHA8: ${{ steps.setvars.outputs.SHA8 }}
      BUILD_DIR: ${{ steps.setvars.outputs.BUILD_DIR }}
      ECR_REPOSITORY: ${{ steps.setvars.outputs.ECR_REPOSITORY }}
      ECS_CLUSTER: ${{ steps.setvars.outputs.ECS_CLUSTER }}
      ECS_SERVICE: ${{ steps.setvars.outputs.ECS_SERVICE }}
      ECS_TASK_DEFINITION: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION }}
      ECS_TASK_DEFINITION_FILE: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION_FILE }}
      ECS_CONTAINER_NAME: ${{ steps.setvars.outputs.ECS_CONTAINER_NAME }}
      

  DeployDev:
    name: Deploy to Dev 
    needs: setup
    runs-on: ubuntu-latest
    permissions:
     packages: write
     contents: write
     id-token: write
    environment: 
      name: dev
      url: 'http://dev.myapp.com'
    steps:
    - name: Set Environments
      run: |
        if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
          echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
          echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
        fi

        if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
          echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
          echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
        fi

    - name: Clone Repository (Current branch)
      uses: actions/checkout@v2
      if: github.event.inputs.git-ref == ''

    - name: Clone Repository (Custom Ref)
      uses: actions/checkout@v2
      if: github.event.inputs.git-ref != ''
      with:
        ref: ${{ github.event.inputs.git-ref }}

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ needs.setup.outputs.AWS_REGION }}

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

    - name: Build, tag, and push image to Amazon ECR
      id: build-image
      env:
        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
        ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
        IMAGE_TAG: ${{ github.sha }}
      run: |
        cd ${{ needs.setup.outputs.BUILD_DIR }}
        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
        docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
        echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"

    - name: Download task definition
      run: |
        aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}

    - name: Fill in the new image ID in the Amazon ECS task definition
      id: task-def
      uses: aws-actions/amazon-ecs-render-task-definition@v1
      with:
        task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
        container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
        image: ${{ steps.build-image.outputs.image }}

    - name: Deploy Amazon ECS task definition
      uses: aws-actions/amazon-ecs-deploy-task-definition@v1
      with:
        task-definition: ${{ steps.task-def.outputs.task-definition }}
        service: ${{ needs.setup.outputs.ECS_SERVICE }}
        cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
        wait-for-service-stability: true


  DeployProd:
    name: Deploy to Production 
    needs: [DeployDev]
    runs-on: ubuntu-latest
    permissions:
     packages: write
     contents: write
     id-token: write
    environment: 
      name: Production
      url: 'http://www.myapp.com'
    steps:
    - name: Set Environments
      run: |
        if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
          echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
          echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
        fi

        if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
          echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
          echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
        fi

    - name: Clone Repository (Current branch)
      uses: actions/checkout@v2
      if: github.event.inputs.git-ref == ''

    - name: Clone Repository (Custom Ref)
      uses: actions/checkout@v2
      if: github.event.inputs.git-ref != ''
      with:
        ref: ${{ github.event.inputs.git-ref }}

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}         
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ needs.setup.outputs.AWS_REGION }}

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

    - name: Build, tag, and push image to Amazon ECR
      id: build-image
      env:
        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
        ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
        IMAGE_TAG: ${{ github.sha }}
      run: |
        cd ${{ needs.setup.outputs.BUILD_DIR }}
        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
        docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
        echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"

    - name: Download task definition
      run: |
        aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}

    - name: Fill in the new image ID in the Amazon ECS task definition
      id: task-def
      uses: aws-actions/amazon-ecs-render-task-definition@v1
      with:
        task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
        container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
        image: ${{ steps.build-image.outputs.image }}

    - name: Deploy Amazon ECS task definition
      uses: aws-actions/amazon-ecs-deploy-task-definition@v1
      with:
        task-definition: ${{ steps.task-def.outputs.task-definition }}
        service: ${{ needs.setup.outputs.ECS_SERVICE }}
        cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
        wait-for-service-stability: true

【问题讨论】：

我观察到对于 dev 环境字段名称，您使用的是dev 而不是Dev。由于您的存储库环境被命名为 Dev 和 Production，它可以解释您的问题（如果 Production 环境中的工作流按预期工作）。
即使我正在使用类似的解决方法，为什么不将 yaml 文件一分为二？当一个特性或推送发生在 dev/feature 配置 dev.yml 以运行时，一个 yml 文件将被称为 dev.yml，另一个将是 prod.yml。当合并拉取请求或功能时，可以说主分支配置 prod.yml 运行。通过这种方式，您可以模块化您的 GitHub 操作，这也使其易于编辑，而不是组合成一个。关键是配置 .yml 以触发 dev 和 main 分支，即 imp。如果您喜欢这个想法，请告诉我，我很乐意帮助您进行 yml 配置
你觉得如果我把Environment的名字从dev改成Dev，它应该可以从特定的Environment中获取secret吗？我不确定它是否会在生产环境中运行，因为我们一开始就无法通过 Dev，但我会检查一下。
谢谢，@JatinMehrotra 我认为拆分 YAML 文件实际上是一个好主意，我绝对可以使用一些帮助来进行设置。
发布了一个答案，它将帮助您根据阶段拆分您的 Github 操作，这样可以轻松管理复杂的操作和每个阶段的逻辑。它应该可以解决问题

标签： amazon-web-services github github-actions amazon-ecs

【解决方案1】：

这就是我如何将我的操作专门用于生产和其他阶段（也包括开发和其他功能请求）。 以下 GA 还演示了在为 OIDC 配置所有内容后，如何将 aws 操作与当前的 OIDC 功能一起使用。（当然你对 GA 的逻辑会有所不同）

对于任何提交，关键是在除 main 之外的任何分支上的任何推送都会触发此操作。。这里我正在配置本地 sls 并运行 ITG 测试，然后部署到开发阶段 p>

name: For All commits

on:
  push:
    branches-ignore: [main]
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    strategy:
      matrix:
        node-version: [16.x]
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/

    steps:
      - uses: actions/checkout@v2
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v2
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
          cache-dependency-path: ./backend-operations/package-lock.json
  
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ap-southeast-1
          role-to-assume: ${{secrets.ROLE_ARN}}
      - run: npm ci
        working-directory: ./backend-operations
      - name: Install Serverless Framework
        run: npm install -g serverless
      - name: Install dynamodb local using plugin
        run: |
          serverless plugin install --name serverless-dynamodb-local
          sls dynamodb install
        working-directory: ./backend-operations
      - name: Serverless Authentication
        run: sls config credentials --provider aws --key ${{ env.AWS_ACCESS_KEY_ID }} --secret ${{ env.AWS_SECRET_ACCESS_KEY }}
      - run: npm run build --if-present
        working-directory: ./backend-operations
      - name: Start local sls env
        run: npm run start-local-sls &
        working-directory: ./backend-operations
      - name: Run Integration Tests
        run: |
          sleep 30
          npm run test-itg
        working-directory: ./backend-operations
      - name: Deploy to AWS
        run: serverless deploy --stage dev --verbose
        working-directory: './backend-operations'

对于生产，这里的关键是在您的情况下，此 GA 将仅在主分支上推送时触发，您需要为主分支复制一个，为开发分支复制一个

name: Production-Deployment

on:
  push:
    branches: [main]
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    strategy:
      matrix:
        node-version: [16.x]
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/

    steps:
      - uses: actions/checkout@v2
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v2
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
          cache-dependency-path: ./backend-operations/package-lock.json
 
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ap-southeast-1
          role-to-assume: ${{secrets.ROLE_ARN}}
      - run: npm ci
        working-directory: ./backend-operations
      - name: Install Serverless Framework
        run: npm install -g serverless
      - name: Serverless Authentication
        run: sls config credentials --provider aws --key ${{ env.AWS_ACCESS_KEY_ID }} --secret ${{ env.AWS_SECRET_ACCESS_KEY }}
      - name: Deploy to AWS
        run: serverless deploy --stage prod --verbose
        working-directory: './backend-operations'

【讨论】：