AzureKeyVault@1 task retrieves all the secrets, some of the secrets are displayed as *** whereas some newly created ones are shown as plain text.
A part of my pipeline:
steps:
- task: AzureKeyVault@1
displayName: Download secrets from KeyVault
inputs:
azureSubscription: azure_sub
KeyVaultName: key_vault
SecretsFilter: '*'
RunAsPreJob: true
- task: PipAuthenticate@1
displayName: Authentication step
inputs:
artifactFeeds: organization
onlyAddExtraIndex: true
- script: |
echo "##vso[task.setvariable variable=keyvault_variable;isOutput=true]$(keyvault_variable)"
displayName: Set environment variables
name: SetVariables
- stage: Stage2
jobs:
- job: check_if_encrypted
steps:
- task: CmdLine@2
displayName: Write secrets
inputs:
script: |
echo keyvault_variable
Is there any changes to the Azure Key Vault or wrong with the pipeline?
Thanks
2
Answers
It seems we have to explicitly mention :
issecret=truein theecho "##vso[task.setvariable variable=keyvault_variable;isOutput=true]$(keyvault_variable)"script. Only then it masks.What is not clear is why this has to be set for certain for certain sercrets whereas for others it worked without explicitly mentioning.
You’re creating an unencrypted copy of the secret value with
echo "##vso[task.setvariable variable=keyvault_variable;isOutput=true]$(keyvault_variable)". You should specifyisSecret=trueif you want it to continue to be a secret.Refer to the documentation for more details.