mystack
mystack

Reputation: 5532

Not able to print the Azure-Keyvault secret in the release pipeline

I am trying the below code to retrieve the Azure-Key vault secret from the release pipeline. But I am not able to print the exact string using the below code

(Get-AzKeyVaultSecret -vaultName "keyvalultname" -name "Password").SecretValueText
$Password= (Get-AzKeyVaultSecret -vaultName "keyvalultname" -name "Password").SecretValueText
$Password
Write-Output 'DBPassword is $Password'
Write-Host 'DBPassword is $Password'

if ($Password-eq "Password01")
{
   Write-Host "1"
}
else
{
   Write-Host "0"
}

Write-Host $($Password.Username)

Nowhere in the above code, I am getting the value "Password01". But I am able to print 1 in the IF condition.

The output I got is given below

2019-12-09T14:01:45.9967410Z ***
2019-12-09T14:01:45.9972871Z DBPassword is $Password
2019-12-09T14:01:45.9984181Z DBPassword is $Password
2019-12-09T14:01:45.9992966Z 1
2019-12-09T14:01:46.0026811Z 
2019-12-09T14:01:46.0030953Z 

Upvotes: 0

Views: 2860

Answers (1)

Shayki Abramczyk
Shayki Abramczyk

Reputation: 41775

This is Azure DevOps behavior, to mask secret variables and not print the values in the logs, see here:

We make an effort to mask secrets from appearing in Azure Pipelines output, but it's not bulletproof. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.

We will not ever mask substrings of secrets. If, for example, "abc123" is set as a secret, "abc" will not be masked from the logs. This is to avoid masking secrets at too granular of a level, making the logs unreadable. For this reason, secrets should not contain structured data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar" will not be masked from the logs.

You can print the value vertically if you print them as chars:

$Password.ToCharArray()

Upvotes: 2

Related Questions