Issues with output-credentials option that is still outputting environment variables

[jebeaudet]

Hi!

Related to actions/runner#1126 (comment).

We use an action to securely fetch a secret with OIDC within Github using this action :

    - name: Assume OIDC role
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: arn:aws:iam::1234:role/some-secured-role
        aws-region: us-east-2

    - name: Get Secret value
      id: get_secret_value
      shell: bash
      env:
        AWS_REGION: us-east-2
      run: |
          export SECRET_VALUE=$(\
            aws secretsmanager get-secret-value \
            --secret-id arn:aws:secretsmanager:us-east-2:1234:secret:/some/secret \
            --query SecretString \
            --output text \
          )
          if [[ "${{ inputs.jq_escape }}" == "true" ]]; then
            SECRET_VALUE=$(echo "$SECRET_VALUE" | jq -c .)
          fi
          echo "::add-mask::$SECRET_VALUE"
          echo "secret-value=$SECRET_VALUE" >> "$GITHUB_OUTPUT"

    - name: Unassume OIDC role and environment variables cleanup
      shell: bash
      run: |
        echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
        echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
        echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV
        echo "AWS_DEFAULT_REGION=" >> $GITHUB_ENV
        echo "AWS_REGION=" >> $GITHUB_ENV

As mentioned in the other thread, there's no way to unset a variable to we set it to empty values not to leak anything. However, SDK (boto3 and aws sdk) does not like that and barfs on errors when constructing the sts endpoint, stuff like

Caused by: java.lang.IllegalArgumentException: Request endpoint must have a valid hostname, but it did not: https://ssm/..amazonaws.com

Now, I was looking at the output-credentials option with the hope this could help, but even with this option, creds and region info is still outputted in environment variables.

What's your take on this? I'd love an option to go solely with outputs in order to scope down the reach of the credentials.