Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Destructive Overwrite: Exported emailProvider overwrites secret keys on Deploy
See original GitHub issueDescription
> a0deploy --version
7.3.7
# needs testing in 7.5.*
Exported emaiProvider config:
emailProvider:
name: ses
credentials:
accessKeyId: '##SES_ACCESS_KEY_ID##'
secretAccessKey: '##SES_ACCESS_SECRET_KEY##'
region: my-region-1
default_from_address: me@domain.com
enabled: true
Deploying the config clobbered the accessKeyId and secretAccessKey on our tenants.
Reproduction
- Configure an SES email provider in your environment, include secret/keys
- Export the environment
- check the
emailProviderconfig, and note the values ‘##SES_ACCESS_KEY_ID##’, ‘##SES_ACCESS_SECRET_KEY##’ - without setting up AUTH0_KEYWORD_REPLACE_MAPPINGS, deploy the config
- note that the email provider no longer functions, and needs its secret/keys reset
Environment
Please provide the following:
- Version of this library used: 7.3.7
workaround?
As a work-around, could you please clarify the best way to use the keyword replace mappings to replace the ‘##SES_ACCESS_KEY_ID##’ strings with an Env Variable at runtime? we cannot easily add the value to the config.json, but our CI/CD system does allow for securely injecting values into Env variables at runtime.
the documentation here https://auth0.com/docs/deploy-monitor/deploy-cli-tool/environment-variables-and-keyword-mappings is not completely clear.
given config.json:
...
"AUTH0_KEYWORD_REPLACE_MAPPINGS": {
"SES_ACCESS_KEY_ID": "use local env",
"SES_ACCESS_SECRET_KEY": "use local env"
} ...
and
> export SES_ACCESS_KEY_ID='my-ses-access-key'
> export SES_ACCESS_SECRET_KEY='my-ses-access-secret'
will the environment variable’s value ‘my-ses-access-key’ be used to replace ‘##SES_ACCESS_KEY_ID##’ in the config, or will it use the “use local env” string from the config.json file?
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It perplexes me why the CLI tool literally doesn’t touch any other secrets by default, however for SES secrets it thinks it’s okay to interfere? 🤔 The fact that it is wholly undocumented, save for fairly innocuous mentions here:
https://auth0.com/docs/deploy/deploy-cli-tool/import-export-tenant-configuration-to-yaml-file#example-configuration-file https://auth0.com/docs/deploy/deploy-cli-tool/import-export-tenant-configuration-to-directory-structure#example-configuration-file
Is also quite frustrating. This fact prompted me to submit https://github.com/auth0/auth0-deploy-cli/issues/392 😃
Pre-import check to ensure that all designated keywords have been replaced has been added to v7.14.0. I’m also hoping that the documentation mentioned above will help folks navigate through similar situations; certainly want to prevent as many unintentional destructive changes as we can. Otherwise, I don’t believe there is anything actionable here so going to close-out.