Key Vault secret values are displayed as plain text in Bash script-CodePudding

AzureKeyVault@1 task retrieves all the secrets, some of the secrets are displayed as *** whereas some newly created ones are shown as plain text. A part of my pipeline:

     steps:
        -   task: AzureKeyVault@1
            displayName: Download secrets from KeyVault
            inputs:
                azureSubscription: azure_sub
                KeyVaultName: key_vault
                SecretsFilter: '*'
                RunAsPreJob: true

        -   task: PipAuthenticate@1
            displayName: Authentication step
            inputs:
                artifactFeeds: organization
                onlyAddExtraIndex: true 

        -   script: |
                echo "##vso[task.setvariable variable=keyvault_variable;isOutput=true]$(keyvault_variable)"
            displayName: Set environment variables
            name: SetVariables

-   stage: Stage2
    jobs:
    -   job: check_if_encrypted
        steps:
        -   task: CmdLine@2
            displayName: Write secrets
            inputs:
                script: |
                    echo keyvault_variable

Is there any changes to the Azure Key Vault or wrong with the pipeline? Thanks

CodePudding user response：

You're creating an unencrypted copy of the secret value with echo "##vso[task.setvariable variable=keyvault_variable;isOutput=true]$(keyvault_variable)". You should specify isSecret=true if you want it to continue to be a secret.

Refer to the documentation for more details.

CodePudding user response：

It seems we have to explicitly mention : issecret=true in the

echo "##vso[task.setvariable variable=keyvault_variable;isOutput=true]$(keyvault_variable)" script. Only then it masks.

What is not clear is why this has to be set for certain for certain sercrets whereas for others it worked without explicitly mentioning.