Reputation: 3315
azure pipelines : accessing secret variables
I am trying to access secret variable to pass it to another script.
I expect following code in pipeline to print Value but it prints some text 'xxx' ragardless of the value of a secret variable
echo xxx
Pipeline Snippet
steps:
- bash: echo This script could use $SYSTEM_ACCESSTOKEN
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
Upvotes: 10
Views: 31362
Answers (5)
Reputation: 3218
Powershell solution, since the above bash solution didn't work for me:
# DEBUG: print access token for local debugging
- powershell: Write-Host ($env:var1).substring(0,1) + ($env:var1).substring(1)
displayName: DEBUG - print access token for local debugging
env:
var1: $(System.AccessToken)
Obviously don't use this in production code. I used it to get the System Access Token so I could do local debugging in Postman instead of pushing commits and running my pipeline every time.
Upvotes: 3
Reputation: 1510
Azure pipelines will scan the output and mask the secret, you can simply split it up and print it in two parts. Here is a bash example:
echo "${MY_SECRET:0:10}" # Print the first 10 characters
echo "${MY_SECRET:10:100}" # Print character 11 - 100
You should of course only do it for debugging purposes and not leave it in your pipeline.
Upvotes: 13
Reputation: 3315
Updates:
If I save secret value to a file and publish that file as an artifact secret is visible in cleartext.
After speaking to my colleagues I have realized that all text in logs if it contains a secret value it will be masked.
It will interesting to see if I have 2 variables viz.
OPEN_VAR='something' # No Secret
and
SECRET_VAR='something' # Values same as above but Secret
if I print $OPEN_VAR ; does it mask value because "something" is also a value of "SECRET_VAR"
Upvotes: 2
Reputation: 31003
If you want to access a secret variable, you could print it to a file. Check the example below:
steps:
- powershell: |
$env:var1 | Out-File C:\Users\xxx\Desktop\Newfolder\debug.txt
displayName: 'PowerShell Script'
env:
var1: $(System.AccessToken)
But System.Accesstoken is a PAT token generated for the service identity “Project Collection Build Service (account)”, it's not needed to verify the value of System.AccessToken. In addition, if you want to print the value of System.AccessToken to a file, you need to check the Allow scripts to access the OAuth token in the agent job:
Upvotes: 11
Reputation: 40553
This is because SYSTEM_ACCESSTOKEN is a secret. If you do the same with variable which is not a secret you will be able to see value.
Upvotes: 2
Related Questions
- Secret Pipeline Parameter in Azure Devops
- How to get the value of secret variable provided in release pipeline
- Dynamic access to Key Vault secret variables in Azure DevOps
- Azure pipeline: make secret variable into environment variable
- Secret Variables in Azure Pipelines
- Azure Devops Pipeline - pass secrets as variables to another job
- Azure Devops how to obtain secure variable value in task
- How can I access a secret value from an Azure Pipelines expression?
- Azure pipelines Secret Variables don't work on PR triggers
- VSTS secret variables are actually secret or not?