Retrieve Azure DevOps pipeline variable using PowerShell variable

Question

I'm using Azure DevOps Release pipeline which has next steps:

• Download KeyVault secrets
• Invoke Console App with correct parameters

Downloading of KeyVault secrets works fine and I can confirm that they are available by using $(Key1) where Key1 is actual key stored in KeyVault secrets.

Now, what I want is to loop against list of the secrets (simple text file with keys separated by comma) and append them to a console app parameter, but I fail to retrieve Azure DevOps pipeline variable with PowerShell variable.

$keyVaultVariables can be Key1,Key2,Key3 which corresponds to the keys stored in KeyVault, meaning that when I'm calling $($kvVar) is should get value of the secret with the key. What I get is just key, but no value.

$keyVaultList = $keyVaultVariables -split ','
$stringReplacementValues = ""

foreach($kvVar in $keyVaultList)
{ 
    $val = $($kvVar)
    Write-Host $val
    $stringReplacementValues = $stringReplacementValues + "$kvVar|$val;" 
}

Write-Host $stringReplacementValues 

What am I doing wrong?

Answer 1

What you want cannot be done this way. It's a security feature.

Secrets can only be iterated through the task-sdk from a custom task. Any script or existing task that doesn't have this functionality needs to have these values passed in through an input or the environment or through inlining the value in the script directly. This is a security feature to prevent say a roque npm package from extracting all of the secrets from a pipeline.

If you move your functionality into a custom task, it could access the secrets.

• The corresponding PowerShell function.
• The corresponding Typescript Function