Home > Net >  Unable to access the plain text of a secret in Azure DevOps
Unable to access the plain text of a secret in Azure DevOps

Time:10-16

I need to get the plain text version of a secret for some work downstream in my Azure DevOps Release pipeline. I'm using the Azure PowerShell task (version 5.209.0) with the latest installed version of Azure PowerShell (I tried 8.5.0 and 9.0.0 and it didn't change the outcome).

I'm using the following line of PowerShell to get the plain text secret. This works on my dev machine in a PowerShell window (version 7.2.6) but not in Azure DevOps.

$plainSecret = (Get-AzKeyVaultSecret -VaultName MyKeyVaultName -Name "SecretName").SecretValueText

How can I get the plain text of a secret using PowerShell in an Azure DevOps Release pipeline?

Update: The script can access the key vault and secrets so this isn't an access issue with the service principal used. When I output the value, I see "***" as expected.

Update #2: psversion in the pipeline task returns 5.1.17763.2931

CodePudding user response:

You're actually getting the plain text of the secret.

Azure DevOps is just kind enough to never display secrets , and only display them as '***'.

Trying to output any secret from Azure DevOps will result in this behavior, but the secret will still be set in your script.

This is so Azure DevOps logs don't accidentally contain any secrets.

GitHub workflows do a similar thing as well.

Note: In both cases, the secret will be displayed a series of asterisks, but the length of the series of asterisks will be constant, not the length of the password/secret (because otherwise this would be a significant clue to attackers).

CodePudding user response:

The "secretvaluetext" property is no longer available:

Get-AzKeyVaultSecret The property SecretValueText of type Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecret has been removed. Either apply a -AsPlainText to the call to get the plain text secret, or use $secret.SecretValue of type SecureString in your script.

You can get the plain-text value of the secret by using the -AsPlainText parameter instead:

$plainSecret = Get-AzKeyVaultSecret `
  -VaultName MyKeyVaultName `
  -Name "SecretName" `
  -AsPlainText
  • Related