Reputation: 3009
Why is my Azure Keyvault secret not redacted in debug logs?
I have three Azure CD pipelines that follow similar steps. All three use a similarly named and used key that they fetch from a key vault. When I enable debug mode, the secret shows up in the logs of one deployment to a certain tenant.
Say I have these keys:
tenant1-pipelineA-secret<< only this shows in debug logstenant2-pipelineA-secret<< always redactedtenant1-pipelineB-secret<< always redactedtenant2-pipelineB-secret<< always redactedtenant1-pipelineB-secret<< always redactedtenant2-pipelineB-secret<< always redacted
The secret is only visible if system.Debug is set to true in the CD pipeline log that uses tenant1-pipelineA-secret. The strange thing is that this exact same secret is redacted with *** in a normal print statement of the same pipeline.
So the Azure pipeline logs look like this:
...
##[debug]tenant1-pipelineA-secret: "abcdefg123"
...
tenant1-pipelineA-secret: "***"
All the other CD pipelines, and the CD pipeline to tenant2, never show the secret in plain text, also not if system.Debug is enabled.
My suspicion is that the tenant1-pipelineA-secret key contains a special character that trips up the Azure key redaction step. Although I'm not sure why that only fails for a ##[debug] line, but not for a normal print. The keys are automatically generated and can contain the following characters: *!%#_/@-.
Any ideas why this one key is shown?
Upvotes: 1
Views: 47
Answers (2)
Reputation: 3009
The issue was caused by me using a deprecated task: qetza.replacetokens.replacetokens-task.replacetokens. After upgrading from v3 to v6 the secret was hidden.
My original question was missing this detail.
Upvotes: 0
Reputation: 5296
Not sure about your YAML, I can't reproduce your issue exactly, but I noticed a similar situation. When my secret contains special characters, the secret may not be encrypted when used with a specific task on a specific OS.
For example, when the secret value contains %2, the secret will not be encrypted when using CmdLine@2 task on windows-latest image whether debug is enabled or not.
- task: CmdLine@2
inputs:
script: |
echo "The value of MySecret is: $(MySecret)"
Checking the log, the value %25@testtestis visible as "The value of MySecret is: 5@testtest".
When using image ubuntu or using powershell task on Windows image, there isn't the same issue.
You can try to use ubuntu-latest image if you are using windows image. If it doesn't work, since the issue can be reproduced, it's suggested to report on Developer Community. Then the Azure DevOps engineer can report this issue to their product group for further investigation.
Upvotes: 1
Related Questions
- Azure DevOps Pipeline Error: Password Not an Integer in snowsql Command
- Unable to access keyvault from Azure DevOps from a different resource description
- Azure DevOps -> Pipelines -> Library -> Access Azure Key Vault -> Key Vault not allowing access from all networks
- The proper way to stop az keyvault secret set printing secret in devops pipeline?
- Use Azure Keyvault secret credentials in Cypress UI tests running in Azure Devops pipeline
- Azure DevOps -> Pipelines -> Releases -> Access Azure Key Vault Secret -> nested levels JSON variable substitution/transform
- Can key vault secrets be retrieved and retained by a pipeline?
- How to get keyvault secret output in Azure DevOps
- Azure Release pipeline - Azure key vault task VS variable groups
- Not able to print the Azure-Keyvault secret in the release pipeline