Blair Nangle

String-enclosed Secrets in GitHub Actions

Just show me the code (without the actual secret values, obviously).


Improve email deliverability by adding SPF and DKIM DNS records to my domain via Terraform and GitHub Actions.


DPF and DKIM values are composed of whitespace. For example, my SPF value might be:

v=spf1 ~all

Route 53 expects each of the TXT record values to be double-quoted. If we were to manually add the value to the TXT record via the AWS Console, the quotes would be automagically added.

When injecting the secret value into the Actions environment, double-quoted (e.g., "v=spf1 ~all") and escape/double-quoted or double/escape-quoted values (e.g., \""v=spf1 ~all"\" or "\"v=spf1 ~all\"") appear to have their quotes discarded, leading the AWS API (via Terraform) to respond with a 400 and the following error:

Error: [ERR]: Error building changeset: InvalidChangeBatch: [Invalid Resource Record: 'FATAL problem: InvalidCharacterString (Value should be enclosed in quotation marks) encountered with '"***"'']

And escape-quoted values (e.g., \"v=spf1 ~all\") somehow achieve this strange result in Route 53:

"\"v=spf1 ~all\""


We can single-quote the value of the secret. For example:

'v=spf1 ~all'

Super simple, but unintuitive. Took me a while to figure out after playing around with various quote combinations!