Question 39290 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

How do I use GitHub Actions envrionment variables in a job called with workflow_call – Ubuntu

I have 2 workflows: CI/CD and Deploy.

Deploy can be triggered manually (with workflow_dispatch) or by CI/CD (with workflow_call). It uses an environment named "dev" that contains 2 secrets: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

The Deploy workflow is successful when called manually. However, when it’s called from CI/CD, it fails with

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

Here are the relevant parts of my workflows:

.github/workflows/ci-cd.yaml

name: CI/CD
on:
  pull_request:
    branches: [ main ]

jobs:
  ci:
    name: CI Checks
    runs-on: ubuntu-latest

    steps:
      # ... (run static analysis and tests)

  deploy-to-qa:
    name: Deploy to staging
    needs: [ ci ]
    uses: org/repo/.github/workflows/deploy.yaml@main
    with:
      AWS_REGION: us-east-1

.github/workflows/deploy.yaml

name: Deploy
on:
  workflow_call:
    inputs:
      AWS_REGION: { required: true, type: string }
  workflow_dispatch:
    inputs:
      AWS_REGION:
        required: true
        default: us-east-1

jobs:
  build-and-deploy:
    name: Deploy
    runs-on: ubuntu-latest
    environment: dev
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      ###############
      # THIS STEP FAILS when run with workflow_call (but succeeds with workflow_dispatch)
      ###############
      - name: Configure aws creds
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ inputs.AWS_REGION }}

The error:
aws-actions/configure-aws-credentials@v1 error: Credential could not be loaded

Tags:

2

Answers


  1. 0

    You should define that as input params in the workflow_call section and pass them in the caller workflow. Like:

    on:
  workflow_call:
    inputs:
      AWS_REGION: { required: true, type: string }
      AWS_ACCESS_KEY_ID: { required: true, type: string }
      AWS_SECRET_ACCESS_KEY: { required: true, type: string }

    and use it like:

        with:
      aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
      aws-region: ${{ inputs.AWS_REGION }}

    In this way you could lost the ability to call with a workflow_dispatch. In order to support that also, you could try this approach:

        with:
      aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID ||  secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY ||  secrets.AWS_SECRET_ACCESS_KEY }}
      aws-region: ${{ inputs.AWS_REGION }}

    Not tested, may require an intermediary step to resolve this part

    Login or Signup to reply.
  2. 0

    The workflow_call needs secrets to be sent separately:

    A map of the secrets that can be used in the called workflow.

    Reference

    Moreover, according to this blog post, you can inherit secrets now:

    GitHub Actions simplifies using secrets with reusable workflows with the secrets: inherit keyword.

    Previously when passing secrets to a reusable workflow, you had to
    pass each secret as a separate argument. Now you can simply pass the
    secrets: inherit to the reusable workflow and the secrets will be
    inherited from the calling workflow.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search