Azure Devops Release Pipeline - Keyvault with special characters in the secret

Question

I'm running a devops release pipeline and i pull back the keyvaults secrets via this task

steps:

• task: AzureKeyVault@1

My secret value looks something like this. abc$def&ghi

I'm updating a database record with this secret via Powershell.

The value that ends up in the database is "abcghi" The $ and characters up to, and including the & are excluded.

Do I need to escape the secrets coming from keyvault somehow?

-Randy

Answer 1

Are you trying to use the secret value inside of a double-quoted string in your PowerShell database update script? Something like this:

$sqlCommand = "update table set value='abc$def&ghi' where id=1";

If so, PowerShell is attempting to expand $def as a variable. It's probably not really a variable and will expand into an empty string.

You can escape the dollar sign in your key vault by using a backtick `$, but you have to be careful if you need to use that secret in a non-PowerShell scenario.

Alternatively, you could use single-quote characters around your string instead; although you'll then need to escape any single-quote characters used inside that string:

$sqlCommand = 'update table set value=''abc$def&ghi'' where id=1';

See the PowerShell docs about quoting rules for more information.