1

I have a secret in a Azure keyvault which basically stores 1 command az login --service-principal -u ...

I am trying to call this secret in a simple Powershell Task but when I run the pipeline every time it appears as masked with output ***. It doesn't need to be shown it just needs to do what it is meant to

Azure DevOps pipeline is classic ( cannot be YAML for now)

Powershell Task is file path one (cannot be inline as script passes 20000 chars)

Improve this question
4
  • "it just needs to do what it is meant to" - well, what is it meant to do, and what is it currently doing? Commented Jul 17, 2024 at 17:49
  • well the command is az login --spn... so it needs to login then it shows bunch of subscriptions it has access to which means is worked but right now this is not happening, i just get "***" Commented Jul 17, 2024 at 17:57
  • Can you share the relevant portions of the script and the task definition? Eg. any place where you reference the secret Commented Jul 17, 2024 at 18:11
  • I have been testing with a small sample script of just 2 lines $(azCreds) az account show If this is inline, it works!! but since i need to use file path, there is does not. I have tried passing the secret as an argument, an environment variable, but still "***" Commented Jul 17, 2024 at 18:18

1 Answer 1

Reset to default
1

I have a secret in a Azure keyvault which basically stores 1 command az login --service-principal -u ...

Azure Key Vault should be used to store sensitive information, not logic of any kind. Consider creating secrets for the user name, password and tenant ID instead of storing the whole az login... command.

Another alternative would be to use an Azure service connection for the service principal.

I am trying to call this secret in a simple Powershell Task but when I run the pipeline every time it appears as masked with output ***

Secret variables are encrypted variables that you can use in pipelines without exposing their value, i.e. Azure Pipelines makes an effort to mask secrets when emitting data to pipeline logs.

Please note that the recommended ways to set secret variables are in the UI, in a variable group, and in a variable group from Azure Key Vault. You can also set secret variables in a script with a logging command but this isn't recommended since anyone who can access your pipeline can also see the secret.

See Set secret variables for more details.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

So if I store username, pswd, etc. In key vault and call them in script it'll work? Why isn't what I am doing working? If I call the variable in inline script, it works! But not when I pass it as an argument or environment variable in case of file path
Hi @MuditBalooja, Thanks for the update. May I know what you meant by If I call the variable in inline script, it works? Did you linked the secrets in your Key Vault with your pipelines Library and call the secret variable in inline script like Write-Host $(someKVSecret)?
Can you please share your PowerShell script in the original post and let us know how your retrieved the Key Vault secret value to run az login? Was it using a pipelines Library linked with your Key Vault? By the way, was your pipeline running on a Microsoft-hosted agent or a self-hosted agent?
So if I store username, pswd, etc. In key vault and call them in script it'll work? - how are you retrieving the secrets? If you use an AzureKeyVault task or a variable group linked to a KeyVault secrets will be available in the pipeline. See the last link in my answer for more details.
Hi Rui you were right, instead of storing the whole command I just stored username, pswd, tenant and it worked! But my question still remains on why seperate behaviour of inline vs file path. I use AzureKey Vault task to download all secrets from keyvault and pass it as an argument for ps script to use
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.