CODEWITHSUNDEEP
bashazureazure-devopsazure-keyvaultazure-pipelines-release-pipeline
KKI
KKI

Reputation: 225

Azure DevOps release pipeline - Variable Group as Azure Key Vault and bash script - inline vs file based

I have an Azure KeyVault that contains a secret, let's call it "test1".

I have an Azure DevOps release pipeline that runs 2 bash scripts. One inline, the other file based.

The inline script has no input argument, because it can handle the variable (secret) from the Variable Group (which is the Azure Key Vault) without it.

The file-based script has one input, which on the DevOps side is $(test1).

In the case of inline script:

echo "1" $test1
echo "2" test1
echo "3" "$test1"
echo "4" $(test1)
echo "5" ${test1}
echo "6" "$(test1)"
echo "7" "${test1}"

In the case of file based script:

test1=$1

echo "1" $test1
echo "2" test1
echo "3" "$test1"
echo "4" $(test1)
echo "5" ${test1}
echo "6" "$(test1)"
echo "7" "${test1}"

As you can see, the two scripts are identical.

Output from the inline script:

2024-01-26T09:45:29.0382744Z 1
2024-01-26T09:45:29.0384501Z 2 test1
2024-01-26T09:45:29.0385029Z 3 
2024-01-26T09:45:29.0385401Z 4 ***
2024-01-26T09:45:29.0385658Z 5
2024-01-26T09:45:29.0385948Z 6 ***
2024-01-26T09:45:29.0386188Z 7

Output from the file based script:

2024-01-26T09:45:28.6888518Z 1 ***
2024-01-26T09:45:28.6890152Z 2 test1
2024-01-26T09:45:28.6890863Z 3 ***
2024-01-26T09:45:28.7077227Z /d/a/r1/a/_secret/echo.sh: line 6: test1: command not found
2024-01-26T09:45:28.7104148Z 4
2024-01-26T09:45:28.7113476Z 5 ***
2024-01-26T09:45:28.7278287Z /d/a/r1/a/_secret/echo.sh: line 8: test1: command not found
2024-01-26T09:45:28.7287815Z 6 
2024-01-26T09:45:28.7289441Z 7 ***

Questions:

  1. Why is the output different? One recognizes the variable this way, the other the other way. What is the difference, or what am I doing wrong?
  2. Is there a possibility to use a file based script without input arguments for the secrets, which either come from Variable Group or from "Azure Key Vault" agent job.

Upvotes: 1

Views: 541

Answers (2)

wade zhou - MSFT
wade zhou - MSFT

Reputation: 8468

For 1st query, this is because file-based scripts do not replace $(VARIABLE) placeholder, but it can read the argument you passed: echo $(args). Here you used same named test1(argument) for test1 secret.

For the 2 query, to use a file based script without input arguments for the secrets, you can map the secret variable as environment.

enter image description here

And output the environment instead in bash file. You cannot output $TEST1.

enter image description here

The output:

enter image description here

In addition, in Azure Key valut task, you can choose the option below so that the secret variable can be exposed all tasks in the job. enter image description here

If you use Variables groups which links to the key valut variable, make sure the scope is on release, or correct stage, and not override in the previous tasks in the job, so that secret variable can be mapped to environment. enter image description here

Upvotes: 2

Shamrai Aleksander
Shamrai Aleksander

Reputation: 16133

This is because file-based scripts do not replace $(VARIABLE) placeholder. You should use environment variables:

  • Batch script: %VARIABLE_NAME%
  • PowerShell script: $env:VARIABLE_NAME
  • Bash script: $VARIABLE_NAME

In your case, this is a good example:

Output from the file based script:

2024-01-26T09:45:28.6888518Z 1 ***

2024-01-26T09:45:28.6890152Z 2 test1

2024-01-26T09:45:28.6890863Z 3 ***

2024-01-26T09:45:28.7077227Z /d/a/r1/a/_secret/echo.sh: line 6: test1: command not found

Check this doc on how to use secrete variables: Set secret variables

Upvotes: 2

Related Questions