CODEWITHSUNDEEP
azure-devopsazure-pipelinesazure-keyvaultsecret-key
stravze
stravze

Reputation: 137

Azure DevOps Variable secrets between tasks jobs issecret=true

My Keyvault secrets are appearing in clear text in the console, I tried to set the variable to a secret:

echo "##vso[task.setvariable variable=nsg-list;issecret=true;isOutput=true]$(nsg-list)"
echo "##vso[task.setvariable variable=nsg-rules;issecret=true;isOutput=true]$(nsg-rules)"

Now the build are failing, if I remove the issecret=true the builds work again.

I need to pass the variables between tasks and jobs, is there a better way of doing this ?

pool:
     vmImage: 'Ubuntu-16.04'
   steps:
     - task: AzureKeyVault@1
       displayName: Read variables from keyvault
       inputs:
         azureSubscription: Sandbox
         keyVaultName: "sandbox"
         secretsFilter: '*'
     - script: |
         echo "##vso[task.setvariable variable=backend_storage_account_name;issecret=true;isOutput=true]$(backend-storage-account-name)"
         echo "##vso[task.setvariable variable=backend_storage_container_name;issecret=true;isOutput=true]$(backend-storage-container-name)"
         echo "##vso[task.setvariable variable=backend_access_key;issecret=true;isOutput=true]$(backend-access-key)"
         echo "##vso[task.setvariable variable=tenant-id;issecret=true;isOutput=true]$(tenant-id)"
         echo "##vso[task.setvariable variable=app-id;issecret=true;isOutput=true]$(app-id)"

Upvotes: 4

Views: 4134

Answers (2)

Jeff Patton
Jeff Patton

Reputation: 574

I think the issue is understanding what these variables truly are. From the OP

echo "##vso[task.setvariable variable=nsg-list;issecret=true;isOutput=true]$(nsg-list)"

In this context these are Task Variables, it would be akin to creating the variable in the Variables section of the pipeline. What we have noticed in our testing is that isOutput will prepend the task name onto the variable, which was not terribly convenient for us, so we opted to not use isOutput.

In order to make the secrets available on linux we just exported those variables and were able to move forward with our pipeline.

Upvotes: 2

4c74356b41
4c74356b41

Reputation: 72151

you need to explicitly set them as environment variables with something like this:

env:
  var1: $(your_var_name)

in each step you intend to use them. and then you. can use them as environment variables

Upvotes: 3

Related Questions