Skip to content

Commit 6165aff

Browse files
mehtaracmehtarac
authored
fix: mask secrets in agent execution logs (#32)
* fix: mask secrets in agent execution logs * keep the variable names the same
1 parent 309d5c1 commit 6165aff

1 file changed

Lines changed: 19 additions & 5 deletions

File tree

  • strands-command/actions/strands-agent-runner

strands-command/actions/strands-agent-runner/action.yml

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -131,11 +131,25 @@ runs:
131131
if [ -n "${{ inputs.aws_secrets_manager_secret_id }}" ]; then
132132
echo "Fetching configuration from AWS Secrets Manager..."
133133
SECRET_JSON=$(aws secretsmanager get-secret-value --secret-id "${{ inputs.aws_secrets_manager_secret_id }}" --query SecretString --output text --region us-east-1)
134-
echo "sessions_bucket=$(echo $SECRET_JSON | jq -r '.AGENT_SESSIONS_BUCKET // empty')" >> $GITHUB_OUTPUT
135-
echo "langfuse_public_key=$(echo $SECRET_JSON | jq -r '.LANGFUSE_PUBLIC_KEY // empty')" >> $GITHUB_OUTPUT
136-
echo "langfuse_secret_key=$(echo $SECRET_JSON | jq -r '.LANGFUSE_SECRET_KEY // empty')" >> $GITHUB_OUTPUT
137-
echo "langfuse_host=$(echo $SECRET_JSON | jq -r '.LANGFUSE_HOST // empty')" >> $GITHUB_OUTPUT
138-
echo "evals_sqs_queue_arn=$(echo $SECRET_JSON | jq -r '.EVALS_SQS_QUEUE_ARN // empty')" >> $GITHUB_OUTPUT
134+
135+
SESSIONS_BUCKET=$(echo $SECRET_JSON | jq -r '.AGENT_SESSIONS_BUCKET // empty')
136+
LANGFUSE_PUBLIC_KEY=$(echo $SECRET_JSON | jq -r '.LANGFUSE_PUBLIC_KEY // empty')
137+
LANGFUSE_SECRET_KEY=$(echo $SECRET_JSON | jq -r '.LANGFUSE_SECRET_KEY // empty')
138+
LANGFUSE_HOST=$(echo $SECRET_JSON | jq -r '.LANGFUSE_HOST // empty')
139+
EVALS_SQS_QUEUE_ARN=$(echo $SECRET_JSON | jq -r '.EVALS_SQS_QUEUE_ARN // empty')
140+
141+
# Mask all secret values so they never appear in logs
142+
[ -n "$SESSIONS_BUCKET" ] && echo "::add-mask::$SESSIONS_BUCKET"
143+
[ -n "$LANGFUSE_PUBLIC_KEY" ] && echo "::add-mask::$LANGFUSE_PUBLIC_KEY"
144+
[ -n "$LANGFUSE_SECRET_KEY" ] && echo "::add-mask::$LANGFUSE_SECRET_KEY"
145+
[ -n "$LANGFUSE_HOST" ] && echo "::add-mask::$LANGFUSE_HOST"
146+
[ -n "$EVALS_SQS_QUEUE_ARN" ] && echo "::add-mask::$EVALS_SQS_QUEUE_ARN"
147+
148+
echo "sessions_bucket=$SESSIONS_BUCKET" >> $GITHUB_OUTPUT
149+
echo "langfuse_public_key=$LANGFUSE_PUBLIC_KEY" >> $GITHUB_OUTPUT
150+
echo "langfuse_secret_key=$LANGFUSE_SECRET_KEY" >> $GITHUB_OUTPUT
151+
echo "langfuse_host=$LANGFUSE_HOST" >> $GITHUB_OUTPUT
152+
echo "evals_sqs_queue_arn=$EVALS_SQS_QUEUE_ARN" >> $GITHUB_OUTPUT
139153
fi
140154
141155
- name: Build scoped IAM policy

0 commit comments

Comments
 (0)