Travis CI deploy to S3 bucket not working with secure keys

Question

I have a static website and I'm trying to use Travis CI to migrate content to the S3 bucket where I'm hosting the website each time I commit changes to GitHub. To support this, I have the following .travis.yml file:

language: python
python: '2.7'
install: true
script: true
deploy:
  provider: s3
  access_key_id: XXXXX
  secret_access_key: YYYYY
  bucket: thug-r.life
  skip_cleanup: true
  region: us-east-1
  local_dir: public

which works fine. Except I have my secret in plain text on GitHub in a public repo. So...that's bad. Travis CI has a section on encrypting keys (https://docs.travis-ci.com/user/encryption-keys/) which I followed. Using the CLI tool

travis encrypt secret_access_key="YYYYY" --add

which inserts at the bottom of my file

env:
  global:
    secure: ZZZZZ

So I tried to modify my original file to look like

deploy:
  secret_access_key:
    secure: ZZZZZ

But then Travis CI complains that the 'The request signature we calculated does not match the signature you provided.'

So I tried encrypting without quotes

travis encrypt secret_access_key=YYYYY --add

and using the output in the same way.

How am I supposed to include the encrypted key?

Answer 1

All of the examples in the Travic CI help on encrypting keys (https://docs.travis-ci.com/user/encryption-keys/) was of the form:

travis encrypt SOMEVAR="secretvalue"

which it states encrypts the key as well as the value. So, taking the output of the above encryption and using it like above

deploy:
  secret_access_key:
    secure: ZZZZZ

decrypts to be

deploy:
  secret_access_key: secret_access_key: YYYYY

which is what was causing the errors. Instead, what I ended up doing that worked was:

travis encrypt "YYYYY" --add

and used it in the .travis.yml file as

deploy:
  secret_access_key:
    secure: ZZZZZ

which ended up being accepted.

tl;dr Don't include the key when encrypting the secure_access_key