Azure-pipelines-tasks: `##vso[task.setvariable]` does not work as expected if `issecret=true`

Secret variables must be passed into tasks via inputs (i.e. text box). I'll clarify in the docs.

Thank you, I understand that secret variables must be passed via inputs. But let's say I am creating a new secret variable in a Powershell inline script build step. It seems that anything with "issecret=true" doesn't actually get carried to a subsequent Powershell inline script build step for example.

Correct, you can use the arguments input to pass secret variables. You would need to know when creating the definition that the first task is going to set a secret name FOO and need to pass $(FOO) to the arguments input of the second task. Would that work for your scenario?

Yes, now I understand. Thank you! :)

Great! Thanks for confirming!

Not sure what is meant by inputs. I am trying to use this in VSTS. the First task is an azure powershell task that uses a script to get the key from keyvault, second task uses that secret value as the resource name for resource deployment (testing purposes). It works without the issecret=true, but with it the value is '' (empty).
?

You need to use macro syntax in the input text boxes for secrets. Here is an example:

steps:
- powershell: |
    write-host '##vso[task.setvariable variable=myVariable]asdf'
    write-host '##vso[task.setvariable variable=mySecret;issecret=true]qwerty'
- powershell: |
    write-host "this works: $(myVariable)"
    write-host "this works: $env:MYVARIABLE"
    write-host "this works: $(mySecret)"
    write-host "this does not work: $env:MYSECRET"

But why isn't the secure string picked up if you pass it to deploy your ARM template?
If I pick the generated password (so before it is encrypted) and after the deploy I try to connect to the SQL server, I can't login with it. When using non-secure strings everything is working

steps:
- powershell: 
   Add-Type -AssemblyName System.Web
   $sqlPass = [System.Web.Security.Membership]::GeneratePassword(30,1)
   $SecurePass = $sqlPass | ConvertTo-SecureString -AsPlainText -Force
   Write-Host ("##vso[task.setvariable variable=releaseVar_sqlPass;issecret=true;]$SecurePass")
   Write-Host ("Only for demo the password is: $sqlPass")
  displayName: 'PowerShell Script'

- task: AzureResourceGroupDeployment@2
  displayName: 'Azure Deployment'
  inputs:
    azureSubscription: '<my-subscription>'
    resourceGroupName: '<some-rg-name>'
    location: 'West Europe'
    csmFile: '$(System.DefaultWorkingDirectory)/_<some-proj-name>/drop/Alm/ArmTemplates/azuredeploy.json'
    overrideParameters: '-sqlAdministratorLoginPassword $(releaseVar_sqlPass)'

In my armtemplate I have

"sqlAdministratorLoginPassword": {
      "type": "securestring",
      "defaultValue": "<a-default-long-long-pass>",
      "metadata": {
        "description": "The password of the admin user of the SQL Server"
      }
    }

@jtourlamain did you ever find a solution to this? What you describe here is exactly what I would like to do but I'm wondering if it's been fixed or if there's a workaround.

@jnoyola I use a powershell script that generates random characters (based on https://devblogs.microsoft.com/scripting/generate-random-letters-with-powershell/)
At the end of the script I inject it into the pipeline via

Write-Host ("##vso[task.setvariable variable=$outputVariableName;issecret=true;]$randomPass")

The issecret means it doesn't show up in logs. So, I don't actually convert the random string to a secure string via the ConvertTo-SecureString but thanks to the issecret flag it stays hidden from logging.

In your ARM template, define your parameter as securestring like I mentioned above.