I'm using now use travis-heroku with my team.
But my API key doesn't allow my team members to pass the travis test.
How can I share travis-heroku API key with my team member?
Or are there any solution for this?
here's my partial .travis.yml
deploy:
provider: heroku
app:my-project-dev
api_key:
secure: [my api code]
on:
all_branches: true
I'm waiting for your help. Thank you :)
body: "{\"id\":\"unauthorized\",\"error\":\"Invalid credentials provided.\"}" (wrong API key?)
failed to deploy
You have to denote owner/repo when create heroku api key
$ travis encrypt -r [owner]/[repo] $(heroku auth:token)
it was referenced by
Encrypted key unauthorized for continuous deployment Travis → Heroku
Related
I'm seeing this error as of today, was working yesterday and prior to that as well.
Can't see that anything has changed in the Heroku documentation that might cause this breaking change.
Error:
Switched to a new branch 'deploy'
remote: ! WARNING:
remote: ! Do not authenticate with username and password using git.
remote: ! Run `heroku login` to update your credentials, then retry the git command.
remote: ! See documentation for details: https://devcenter.heroku.com/articles/git#http-git-authentication
fatal: Authentication failed for 'https://git.heroku.com/snapnhd-staging.git/'
main.yml
server-deploy:
needs: server-check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
- uses: actions/setup-ruby#v1
with:
ruby-version: '2.6.x'
- name: Determine Heroku App
id: heroku
uses: ./.github/actions/heroku-app
- name: Deploy
env:
HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}
HEROKU_APP: ${{ steps.heroku.outputs.app }}
run: |
git remote add heroku \
https://heroku:$HEROKU_API_KEY#git.heroku.com/$HEROKU_APP.git
git fetch --unshallow origin
git checkout -b deploy
git push heroku deploy:master -f
As part of their response to this ongoing security investigation, Heroku forced all users to reset their passwords on or around May 4 (quoting from an email that, presumably, all customers should have received):
As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022.
This also invalidated API tokens:
NOTE: A password reset will also invalidate your API access tokens. As a result, any automations you’ve built to integrate with the Heroku Platform API that use these tokens may result in 403 forbidden errors. To avoid downtime you will need to re-enable direct authorizations by following the instructions here and update your integrations to use your newly generated token.
The linked article shows several ways to generate a new token, all of which boil down to a POST to
https://api.heroku.com/oauth/authorizations
The exact method depends partly on whether you have multi-factor authentication enabled. If you aren't already using MFA, this would be a good time to enable it.
Generate a new token and update your GitHub Actions configuration to use it.
I'd like to push tags to the gitlab repository for which a job is running.
I'm using the Gradle plugin reckon which is using the grgit/JGit API. Reckon is managing semantic versioning and is able to create and push a tag to a Git repository.
First I want to run in GitLab SaaS. And I assume I need a kind of token so I don't have to pass my personal credentials for security reasons?
Then I also have to work on running it in GitLab hosted environment. But I would expect that in both environments it should work the same way.
There is some thing like a deploy key but I really can't find any references on how to use them. But maybe deploy key is not really made for that kind of operation.
.release-template:
stage:
release
image: adoptopenjdk:11-jdk-hotspot
dependencies:
- deliver
script:
- |
./gradlew reckonTagPush -Preckon.scope=$scope -Preckon.stage=$stage \
-Dorg.ajoberstar.grgit.auth.username=${???} \
-Dorg.ajoberstar.grgit.auth.password=${???}
artifacts:
paths:
- build/
#only:
# - master
when: manual #ONLY MANUAL RELEASES, ONLY FROM MASTER
release-major:
extends: .release-template
variables:
scope: major
stage: final
release-minor:
extends: .release-template
variables:
scope: minor
stage: final
release-patch:
extends: .release-template
variables:
scope: patch
stage: final
If all you're doing is adding a git tag to the repo, and not adding commits, merging branches, etc. you can simply use the Tags API to create a new tag:
curl --request POST --header "PRIVATE-TOKEN: $(CI_JOB_TOKEN)" "https://gitlab.example.com/api/v4/projects/:project_id:/repository/tags?tag_name=test&ref=master"
The $CI_JOB_TOKEN variable is a Predefined Variable automatically provided to running jobs by Gitlab. The $CI_JOB_TOKEN specifically will hold a non-admin API token, which should be fine for the Tags API.
If you were using other API's that requires Admin permissions, you'd have to use a personal access token of an Admin.
How can I access the variables I define in Google Secret Manager from my Google Cloud Build Pipeline ?
You can access to secret from Cloud Build by using the standard Cloud Builder gcloud
But, there is 2 issues:
If you want to use the secret value in another Cloud Build step, you have to store your secret in a file, the only way to reuse a previous value from one step to another one
The current Cloud Builder gcloud isn't up to date (today, 03 feb 2020). You have to add a gcloud component update for using the correct version. I opened an issue for this.
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: "bash"
args:
- "-c"
- |
gcloud components update
# Store the secret is a temporary file
gcloud beta secrets versions access --secret=MySecretName latest > my-secret-file.txt
- name: AnotherCloudBuildStepImage
entrypoint: "bash"
args:
- "-c"
- |
# For getting the secret and pass it to a command/script
./my-script.sh $(cat my-secret-file.txt)
Think to grant the role Secret Manager Secret Accessor roles/secretmanager.secretAccessor to the Cloud Build default service account <PROJECT_ID>#cloudbuild.gserviceaccount.com
EDIT
You can access to the secret from anywhere, either with the gcloud CLI installed (and initialized with a service account authorized to access secrets) or via API call
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://secretmanager.googleapis.com/v1beta1/projects/PROJECT_ID/secrets/MySecretName/versions/latest:access
Note: You recieve the secret in the data field, in base64 encoded format. Don't forget to decode it before using it!
You have to generate an access token on a service account with the correct role granted. Here I use again gcloud, because it's easier. But according with your platform, use the most appropriate method. A python script can also do the job.
EDIT 2
A new way to get secrets exists now in Cloud Build. Less boiler plate, safer. Have a look and use this way now.
I am trying to automate uploading binaries of C++ library as GitHub Releases with Travis-CI. The release is set up to proceed with encrypted token from a user with admin privileges on repository.
Everything is according to the docs, but still getting my builds failed with this error:
`on_complete': GET https://api.github.com/user: 401 - Bad credentials // See: https://developer.github.com/v3 (Octokit::Unauthorized)
Please see details at: https://api.travis-ci.com/v3/job/161301399/log.txt
Let me clarify how I set up a release:
$ travis login
# Answer the security challenge with GitHub username/password
$ travis setup releases --com
# Answer the security challenge with GitHub username/password
# Answer few more questions
I do the --com part since the repository was recently moved to travis-ci.com and the job is performed there. However, I also tried the --pro and `` (no option, default to .org).
So here is deploy section of my .travis.yml:
deploy:
provider: releases
skip_cleanup: true
draft: true
overwrite: true
api_key:
secure: [... omitted ...]
file: ${DISTRIBUTION_NAME}
on:
all_branches: true
As for now I've run out of options, so any advice would be highly appreciated.
Well, after banging my head against the wall for the straight 3 hours, it come to my attention that I was encrypting OAuth token as secret for different repo.
Namely, travis setup releases (and updated .travis.yml) mentioned Multy-io/Multy-back while I was working on script for Multy-io/Multy-Core project.
This is leftover from setting up previous project. Please note that you might want to explicitly set the repository to avoid similar issue with:
with travis setup releases -r Name/Repo
I'm developing a bash script to automatic clone some projects and another task in dev VM's, but we have one project in Heroku and repository is in it. In my .sh file I have:
> heroku login
And this prompt to enter credentials, I read the "help" guide included on binary and documentation but I can't found anything to automatic insert username and password, I want something like this:
> heroku login -u someUser -p mySecurePassword
Exist any way similar to it?
The Heroku CLI only uses your username and password to retrieve your API key, which it stores in your ~/.netrc file ($HOME\_netrc on Windows).
You can manually retrieve your API key and add it to your ~/.netrc file:
Log into the Heroku web interface
Navigate to your Account settings page
Scroll down to the API Key section and click the Reveal button
Copy your API key
Open your ~/.netrc file, or create it, with your favourite text editor
Add the following content:
machine api.heroku.com
login <your-email#address>
password <your-api-key>
machine git.heroku.com
login <your-email#address>
password <your-api-key>
Replace <your-email#address> with the email address registered with Heroku, and <your-api-key> with the API key you copied from Heroku.
This should manually accomplish what heroku login does automatically. However, I don't recommend this. Running heroku login does the same thing more easily and with fewer opportunities to make a mistake.
If you decide to copy ~/.netrc files between machines or accounts you should be aware of two major caveats:
This file is used by many other programs; be careful to only copy the configuration stanzas you want.
Your API key offers full programmatic access to your account. You should protect it as strongly as you protect your password.
Please be very careful if you intend to log into Heroku using any mechanism other than heroku login.
You can generate a non-expiring OAuth token then pass it to the CLI via an environment variable. This is useful if you need to run Heroku CLI commands indefinitely from a scheduler and you don't want the login to expire. Do it like this (these are not actual Tokens and IDs, BTW):
$ heroku authorizations:create
Creating OAuth Authorization... done
Client: <none>
ID: 80fad839-876b-4ea0-a41e-6a9a2fb0cf97
Description: Long-lived user authorization
Scope: global
Token: ddf4a0e5-9294-4c5f-8820-b51c52fce4f9
Updated at: Fri Aug 02 2019 21:26:09 GMT+0100 (British Summer Time) (less than a minute ago)
Get the token (not the ID) from that authorization and pass it to your CLI:
$ HEROKU_API_KEY='ddf4a0e5-9294-4c5f-8820-b51c52fce4f9' heroku run ls --app my-app
Running ls on ⬢ my-app... up, run.2962 (Hobby)
<some file names>
$
By the way this also solves the problem of how to use the Heroku CLI when you have MFA enabled on your Heroku account but your machine doesn't have a web browser e.g., if you are working on an EC2 box via SSH:
$ heroku run ls --app my-app
heroku: Press any key to open up the browser to login or q to exit:
› Error: quit
$ HEROKU_API_KEY='ddf4a0e5-9299-4c5f-8820-b51c52fce4f9' heroku run ls --app my-app
Running ls on ⬢ my-app... up, run.5029 (Hobby)
<some file names>
$
EDIT: For Windows Machines
After you run heroku authorizations:create, copy the "Token", and run the following commands:
set HEROKU_API_KEY=ddf4a0e5-9299-4c5f-8820-b51c52fce4f9
heroku run ls --app my-app
If your goal is just to get the source code, you could use a simple git client. You just need the api key.
Steps to get api key
Log into the Heroku web interface
Navigate to your Account settings page
Scroll down to the API Key section and click the Reveal button
Copy your API key
Download source code using git
Use this url template for git clone
https://my_user:my_password#git.heroku.com/name_of_your_app.git
In my case the user value was my email without domain.
Example :
if mail is **duke#gmail.com**
user for heroku auth will be **duke**
Finally just clone it like any other git repositories:
git clone https://duke:my_password#git.heroku.com/name_of_your_app.git
I agree that Heroku should have by now provided a way to do this with their higher level CLI tool.
You can avoid extreme solutions (and you should, just like Chris mentioned in his answer) by simply using curl and the Heroku API. Heroku allow you to use your API Token (obtainable through your user settings / profile page on the Heroku dashboard).
You can then use the API to achieve whatever it is you wanted to do with their command line tool.
For example, if I wanted to get all config vars for an app I would write a script that did something like the following:
-H "Accept: application/vnd.heroku+json; version=3" \
-H "Authorization: Bearer YOUR_TOKEN```
If *YOUR_APP_NAME* had only one config variable called *my_var* the response of the above call would be
{
"my_var": some_value
}
I've found using this all the time in CI tools that need access to *Heroku* information / resources.