Skip to content

Feature Request: Selective JSON key extraction to prevent over-masking of secret values #263

New issue
New issue
Open
#264
Open
Feature Request: Selective JSON key extraction to prevent over-masking of secret values#263
#264
@jnewton03

Description

@jnewton03
jnewton03
opened on Sep 10, 2025

Problem Description

When using parse-json-secrets: true, ALL values in the JSON object are marked as secrets via core.setSecret(). This causes over-masking where innocent values get redacted throughout the GitHub Action logs, making debugging difficult.

Reproducible Example

JSON Secret in AWS Secrets Manager:

{
  "DOCKER_USERNAME": "liquibase",
  "DOCKER_PASSWORD": "actual-secret-password",
  "API_ENDPOINT": "https://api.example.com"
}

Current Behavior:

  • All three values get marked as secrets
  • The word "liquibase" gets masked everywhere in GitHub Action logs
  • "https://api.example.com" gets masked even though it's not sensitive
  • Makes debugging nearly impossible

Use Case

We store multiple secrets in a single JSON object in AWS Secrets Manager to minimize costs (each secret costs .40/month). This is a common cost-optimization strategy, but the current implementation makes it impractical due to over-masking.

Proposed Solution

Add a new optional input parameter json-secret-keys that allows users to specify which keys from the JSON object should be extracted as environment variables and marked as secrets.

Example Usage

- name: Get secrets
  uses: aws-actions/aws-secretsmanager-get-secrets@v2
  with:
    secret-ids: my-json-secret
    parse-json-secrets: true
    json-secret-keys: |
      DOCKER_PASSWORD
      API_KEY

This would:

  • Only extract DOCKER_PASSWORD and API_KEY as environment variables
  • Only mark those values as secrets (not DOCKER_USERNAME or API_ENDPOINT)
  • Prevent over-masking while maintaining cost savings

Backward Compatibility

  • If json-secret-keys is not provided: current behavior (extract all keys)
  • If json-secret-keys is provided: only extract specified keys
  • No breaking changes to existing workflows

Environment

  • aws-secretsmanager-get-secrets: v2 (latest)
  • GitHub Actions runners: ubuntu-latest
  • AWS Secrets Manager: storing JSON objects with multiple key-value pairs

This feature would solve the over-masking problem while preserving the cost benefits of storing multiple secrets in a single JSON object.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions