Azure Question posted in
The official documentation to get you started can be found here.

Issue Referencing Secret Variable in Azure Dev Ops

My Current set up uses Azure Key Vault.

I have set up a Variable group in my Azure DevOPs which is linked to the Variable group. I have also give my pipeline permission to access the Variable group. However I’m getting an issue trying to get the varable and use it in an Inline Script in the Yaml.
How do I escape the Variable so that it will allow the secret to have Special Characters in it?

{ steps:
    - task: AzureCLI@2
      displayName: 'Backup SQL Database (Front End)'
      inputs:
        azureSubscription: '$(AzureSubscription)'
        scriptType: ps
        scriptLocation: 'inlineScript'
        inlineScript: |
          Write-Output "Debug: Checking Key Vault variable linkage"
          
          if ($env:STORAGEACCOUNTKEYDBASEBK -ne $null) {
            Write-Output "Key Vault secret successfully retrieved."

            $backupFileName = "SQLBK$(Get-Date -Format yyyyMMddHHmmss).bacpac"
            $password = $(SqlAdmin2)

          $stonyxdbasebakStorageAccountKey = $env:STORAGEACCOUNTKEYDBASEBK 

            Write-Output "Password length: $($password.Length)"  
            Write-Output "Storage account key length: $($stonyxdbasebakStorageAccountKey.Length)"     

            az sql db export --admin-password $password `
                            --admin-user "sqladmin" `
                            --storage-key '$stonyxdbasebakStorageAccountKey' ` WORK**strong text**
                            --storage-key-type "StorageAccessKey" `
                            --storage-uri "https://s.blob.core.windows.net/frontendbk/$backupFileName" `
                            --name "sqldb-frontend-prod" `
                            --resource-group "$(ResourceGroup)" `
                            --server "sql-onyx-prod"

            Write-Output "Database backup completed successfully!"
          } else {
            Write-Output "Key Vault secret not retrieved. Check variable group and pipeline linkage."
          }
      env:
        STORAGEACCOUNTKEYDBASEBK: $(storageAccountKeyDbaseBk)}

Here is the Log:

    2024-11-26T18:27:18.2894352Z Debug: Checking Key Vault variable linkage
    2024-11-26T18:27:18.2917555Z Key Vault secret successfully retrieved.
    2024-11-26T18:27:18.2940017Z Password length: 16
    2024-11-26T18:27:18.2941703Z Storage account key length: 27
    2024-11-26T18:27:23.2179512Z ERROR: (InvalidImportExportStorageKeyFormat) The ImportExport operation failed because of invalid storage key format.
    2024-11-26T18:27:23.2180164Z Code: InvalidImportExportStorageKeyFormat
    2024-11-26T18:27:23.2180652Z Message: The ImportExport operation failed because of invalid storage key format.
Tags:

2

Answers


  1. 0

    When variables are used from Variable Groups, it is not easy to use template expressions or even macro expressions.

    You can try the bellow:

    1. Define a job variable and escape characters and "
    2. Use the variable in your task
    -job:MyJob
 variables:
    myEscapedSecret: $[replace(replace(variables['STORAGEACCOUNTKEYDBASEBK'], '', '\'), '"', '"')]

 steps:
   -task: xxxxxx
     --storage-key "$(myEscapedSecret)"
    Login or Signup to reply.
  2. 0

    How do I escape the variable so that it will allow the secret to have special characters in it?

    Declaring environment variables using env: is probably the best way to deal with pipeline variables containing special characters, as you’re already doing.

    Assuming that $(storageAccountKeyDbaseBk) contains the right value, there’s no need to escape special characters.

      steps:
    - task: AzureCLI@2
      displayName: 'Backup SQL Database (Front End)'
      inputs:
        azureSubscription: '$(AzureSubscription)'
        scriptType: ps
        scriptLocation: 'inlineScript'
        inlineScript: |
          # ...
      env:
        STORAGEACCOUNTKEYDBASEBK: $(storageAccountKeyDbaseBk)

    Your problem is probably caused by the usage of single-quoted strings.

    Expressions in single-quoted strings aren’t evaluated. They’re interpreted as string literals.

    Instead of:

    az sql db export ... --storage-key '$stonyxdbasebakStorageAccountKey' ...

    Try one of the following:

    az sql db export ... --storage-key $stonyxdbasebakStorageAccountKey ...
az sql db export ... --storage-key "$stonyxdbasebakStorageAccountKey" ...
az sql db export ... --storage-key $env:STORAGEACCOUNTKEYDBASEBK ...
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search