Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

setting secrets can't contain unescaped '$' on cli

See original GitHub issue

Hi I found that I set secrets like

digdag secrets --local --set password=i_want_$50000
# or 
digdag secrets --local --set password # enter
password: i_want_$50000

and use it in dig file then these error occurs

java.lang.IllegalArgumentException: Illegal group reference
	at java.util.regex.Matcher.appendReplacement(Matcher.java:857)
	at io.digdag.util.UserSecretTemplate.replaceAll(UserSecretTemplate.java:64)
	at io.digdag.util.UserSecretTemplate.format(UserSecretTemplate.java:55)
	at io.digdag.core.agent.GrantedPrivilegedVariables.lambda$buildAccessor$1(GrantedPrivilegedVariables.java:62)
	at io.digdag.core.agent.GrantedPrivilegedVariables.get(GrantedPrivilegedVariables.java:81)
	at io.digdag.standards.operator.ShOperatorFactory.collectEnvironmentVariables(ShOperatorFactory.java:156)
	at io.digdag.standards.operator.ShOperatorFactory$ShOperator.runTask(ShOperatorFactory.java:111)
	at io.digdag.util.BaseOperator.run(BaseOperator.java:35)
	at io.digdag.core.agent.OperatorManager.callExecutor(OperatorManager.java:312)
	at io.digdag.cli.Run$OperatorManagerWithSkip.callExecutor(Run.java:694)
	at io.digdag.core.agent.OperatorManager.runWithWorkspace(OperatorManager.java:254)
	at io.digdag.core.agent.OperatorManager.lambda$runWithHeartbeat$2(OperatorManager.java:137)
	at io.digdag.core.agent.LocalWorkspaceManager.withExtractedArchive(LocalWorkspaceManager.java:25)
	at io.digdag.core.agent.OperatorManager.runWithHeartbeat(OperatorManager.java:135)
	at io.digdag.core.agent.OperatorManager.run(OperatorManager.java:119)
	at io.digdag.cli.Run$OperatorManagerWithSkip.run(Run.java:676)
	at io.digdag.core.agent.MultiThreadAgent.lambda$null$0(MultiThreadAgent.java:127)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

It can be avoided by setting with escaped form like this

digdag secrets --local --set password="i_want_\$50000"

but this is very useless, especially using masked input

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
hiroyuki-satocommented, Nov 22, 2017

Oh, I see, It seems a bug.

You can’t use $ character, until fix this issue.

Digdag: 0.9.20

Reproduce Dig file.

timezone: UTC

+test:
  sh>: env
  _env:
    PASSWORD: ${secret:password}

OK case

The password doesn’t contain $ character.

secrets --local --set password='i_want_50000'
digdag run -a fuga
...
PASSWORD=i_want_50000

NG Case

The password contains $ character.

digdag secrets --local --set password='i_want_$50000'
digdag run -a fuga
java.lang.IndexOutOfBoundsException: No group 5
	at java.util.regex.Matcher.start(Matcher.java:375)
	at java.util.regex.Matcher.appendReplacement(Matcher.java:880)
	at io.digdag.util.UserSecretTemplate.replaceAll(UserSecretTemplate.java:64)
	at io.digdag.util.UserSecretTemplate.format(UserSecretTemplate.java:55)
	at io.digdag.core.agent.GrantedPrivilegedVariables.lambda$buildAccessor$1(GrantedPrivilegedVariables.java:62)
	at io.digdag.core.agent.GrantedPrivilegedVariables.get(GrantedPrivilegedVariables.java:81)
	at io.digdag.standards.operator.ShOperatorFactory.collectEnvironmentVariables(ShOperatorFactory.java:156)
	at io.digdag.standards.operator.ShOperatorFactory$ShOperator.runTask(ShOperatorFactory.java:111)
	at io.digdag.util.BaseOperator.run(BaseOperator.java:35)
	at io.digdag.core.agent.OperatorManager.callExecutor(OperatorManager.java:312)
	at io.digdag.cli.Run$OperatorManagerWithSkip.callExecutor(Run.java:694)
	at io.digdag.core.agent.OperatorManager.runWithWorkspace(OperatorManager.java:254)
	at io.digdag.core.agent.OperatorManager.lambda$runWithHeartbeat$2(OperatorManager.java:137)
	at io.digdag.core.agent.LocalWorkspaceManager.withExtractedArchive(LocalWorkspaceManager.java:25)
	at io.digdag.core.agent.OperatorManager.runWithHeartbeat(OperatorManager.java:135)
	at io.digdag.core.agent.OperatorManager.run(OperatorManager.java:119)
	at io.digdag.cli.Run$OperatorManagerWithSkip.run(Run.java:676)
	at io.digdag.core.agent.MultiThreadAgent.lambda$null$0(MultiThreadAgent.java:127)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
0reactions
cafealcommented, Nov 22, 2017

sorry for my short explanation 🙄

my dig file, foo.dig, is like below

_export:
   db:
      password: ${secret:aws.db.password}
+bar:
   sh>: python script.py
   _env:
      DB_PASSWORD: ${db.password}

DB_PASSWORD is used in script.py

then, I set my secrets and run digdag like:

$ digdag secrets --local --set aws.db.password # enter
$ password: ・・・・・・・・  #=> i_want_$50000
$ digdag run --rerun foo.dig +bar

I use secrets for defining the environment variables through _export but I think it doesn’t matter

Read more comments on GitHub >

github_iconTop Results From Across the Web

Encrypted secrets - GitHub Docs
Encrypted secrets allow you to store sensitive information in your organization, repository, or repository environments.
Read more >
escaping characters when passing JSON to aws ...
I have tried to write a script that updates AWS secrets. Yes, the update-secret command already does this, but that will overwrite existing ......
Read more >
Secrets | Kubernetes
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such...
Read more >
Secrets management | New Relic Documentation
Use secrets variables in your New Relic infrastructure integration configuration to inject sensitive data that you don't want in your configuration files.
Read more >
Resolve Secrets Manager secret access errors after updating ...
Updating the AWS KMS key associated with a Secrets Manager secret using the AWS CLI doesn't re-encrypt current or previous versions of the ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

require operator does not honor past session's success/failure when retrying

Next page

digdag-ui can't display task log if a task-log store in an S3.