Azure-pipelines-tasks: I can't pass secret variables to an inline powershell script task

Created on 19 Sep 2018  路  14Comments  路  Source: microsoft/azure-pipelines-tasks

The arguments textbox disappeared with the 2.0 version of the powershell task. This means that the recommended method of accessing secret build variables to a script has been removed.

How can I pass a secret variable to an inline powershell script task?

picture Zazcallabah
👍1

Most helpful comment

Ah, I see, thank you.

$secret = "$(MySecretVariable)"

works fine.

Thanks guys, I ran into this. I just wanted to add that the surrounding quotes are required. I wasted some time because I assumed they weren't, and didn't include them. Fail.

picture jrb-github on 3 Apr 2019
👍8 😕1

All 14 comments

@Zazcallabah

You can access your release variable directly in your script by specifying in the following format.
$(<VARIABLE_NAME>)

e.g. if you have defined variable username in the release. In the inline script, it could be accessed as $(username)

Ajay-MS picture Ajay-MS on 19 Sep 2018
👍1

Ah, I see, thank you.

$secret = "$(MySecretVariable)"

works fine.

Zazcallabah picture Zazcallabah on 19 Sep 2018
👍2

Ah, I see, thank you.

$secret = "$(MySecretVariable)"

works fine.

Thanks guys, I ran into this. I just wanted to add that the surrounding quotes are required. I wasted some time because I assumed they weren't, and didn't include them. Fail.

jrb-github picture jrb-github on 3 Apr 2019
👍8 😕1

I've tried so many variations of this - but in output - I always get the value *

darrenferguson picture darrenferguson on 26 Jun 2019
👍2

Could be it's just an output issue. Have you tried using $secret after the above, and it is failing? If you're trying something like Write-Host "$secret", I think it is intended to not work, to, well, keep it secret. :)

jrb-github picture jrb-github on 26 Jun 2019
👍1

It will definitely suppress output for secret variables. You could try outputting $secret.substring(0,10) or something to fool the masking.

Zazcallabah picture Zazcallabah on 26 Jun 2019

Ah cool thanks. The substring trick does work...

I want to put the value in a connectionstrings config file temporarily while I run some tests....

Thankyou

darrenferguson picture darrenferguson on 26 Jun 2019

though if I try....

Write-Host $Hello.substring(0, $Hello.length)

It masks it again, so i can get some characters but not all of them!

darrenferguson picture darrenferguson on 26 Jun 2019
👍1

Ah OK, so i understand that any output to the console has any secret values masked...

darrenferguson picture darrenferguson on 26 Jun 2019
👍1

Thank you for this. Very frustrating trying to track down what's going on. I hope MS fixes this, or if it's working as intended, updates the documentation to reflect this special case for hidden variables and inline Powershell scripts. There is nothing on their official docs to indicate that hidden variables will cause issues in Powershell.

BrianStork picture BrianStork on 26 Jul 2019

I had a very simple workaround, getting the string in two parts, but always that we join the two strings, TFS change to *.

in my case I have to write the secret in the settings.json then I write with a string embedded and liminate this, with a replace writing on my json

I hope that can help somebody

function GetSecretLenght ($secretName){
     $i = 0;
     while($true){
          try { 
               $secretName.substring(0,$i)|out-null 
          } catch { 
               break };
               $i++; 
          } 
     return $i-1;
     } 
function GetSecret($secretName){
     $length = GetSecretLenght($secretName);
     $secret = "$(Secret)"
   return $secret.substring(0,$length-1 )+"_eliminate-this_"+$secret.substring($secret.length-1,1)
} 

$SecretValue = GetSecret("$(Secret)");
Write-Host $SecretValue
internetgdl picture internetgdl on 31 Jul 2019
👍4

why is this not easily found in the documentation?

amccool picture amccool on 24 Oct 2019
👍5

Because ideally, we wouldn't be able to just extract the secrets that easily =D
But as a white-hat, it's better to know is possible.

RaphaelYoshiga picture RaphaelYoshiga on 15 Oct 2020

I had a very simple workaround, getting the string in two parts, but always that we join the two strings, TFS change to *.

in my case I have to write the secret in the settings.json then I write with a string embedded and liminate this, with a replace writing on my json

I hope that can help somebody

function GetSecretLenght ($secretName){
     $i = 0;
     while($true){
          try { 
               $secretName.substring(0,$i)|out-null 
          } catch { 
               break };
               $i++; 
          } 
     return $i-1;
     } 
function GetSecret($secretName){
     $length = GetSecretLenght($secretName);
     $secret = "$(Secret)"
   return $secret.substring(0,$length-1 )+"_eliminate-this_"+$secret.substring($secret.length-1,1)
} 

$SecretValue = GetSecret("$(Secret)");
Write-Host $SecretValue

In classic type, In order to access secret variable in inline powershell script,

step1: Define variable and set it secret (for ex Name: ConnectionString value: **)
step2: Add/set an Environment variable (below inline script available as an option) to remap your secret variable [since you can't access secret variables directly in scripts] like for ex Name: CONNECTIONSTRING value: $(ConnectionString )
step3: While using this variable in script access like $env:CONNECTIONSTRING

carlosmiguelsns picture carlosmiguelsns on 12 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yaananth picture yaananth  路  3Comments
jabbera picture jabbera  路  3Comments
ThomasBarnekow picture ThomasBarnekow  路  3Comments
MikahB picture MikahB  路  3Comments
fedemkr picture fedemkr  路  3Comments