Azure DevOps Variable secrets between tasks jobs issecret=true

Question

My Keyvault secrets are appearing in clear text in the console, I tried to set the variable to a secret:

echo "##vso[task.setvariable variable=nsg-list;issecret=true;isOutput=true]$(nsg-list)"
echo "##vso[task.setvariable variable=nsg-rules;issecret=true;isOutput=true]$(nsg-rules)"

Now the build are failing, if I remove the issecret=true the builds work again.

I need to pass the variables between tasks and jobs, is there a better way of doing this ?

pool:
     vmImage: 'Ubuntu-16.04'
   steps:
     - task: AzureKeyVault@1
       displayName: Read variables from keyvault
       inputs:
         azureSubscription: Sandbox
         keyVaultName: "sandbox"
         secretsFilter: '*'
     - script: |
         echo "##vso[task.setvariable variable=backend_storage_account_name;issecret=true;isOutput=true]$(backend-storage-account-name)"
         echo "##vso[task.setvariable variable=backend_storage_container_name;issecret=true;isOutput=true]$(backend-storage-container-name)"
         echo "##vso[task.setvariable variable=backend_access_key;issecret=true;isOutput=true]$(backend-access-key)"
         echo "##vso[task.setvariable variable=tenant-id;issecret=true;isOutput=true]$(tenant-id)"
         echo "##vso[task.setvariable variable=app-id;issecret=true;isOutput=true]$(app-id)"

My Keyvault secrets are appearing in clear text in the console - is the error not very secure — stravze, Apr 29 '19 at 08:18

score 3 · Answer 1 · answered Apr 26 '19 at 10:44

3

you need to explicitly set them as environment variables with something like this:

env:
  var1: $(your_var_name)

in each step you intend to use them. and then you. can use them as environment variables

answered Apr 26 '19 at 10:44

4c74356b41

69,186
6
100
141

that resolves the passing between jobs / tasks but what about builds fail if you add issecret=true;isOutput=true \n echo "##vso[task.setvariable variable=backend_storage_account_name;issecret=true;isOutput=true]$(backend-storage-account-name)" but builds are successful is you remove issecret=true – stravze Apr 26 '19 at 11:18
that works for me just fine, not sure what do you mean – 4c74356b41 May 01 '19 at 10:06
I think the OP is saying that when you use isSecret=true for task.setvariable nothing is being returned to the variable. This is the exact issue we are facing. – Jeff Patton Dec 08 '20 at 22:09

score 2 · Answer 2 · answered Dec 09 '20 at 04:26

I think the issue is understanding what these variables truly are. From the OP

echo "##vso[task.setvariable variable=nsg-list;issecret=true;isOutput=true]$(nsg-list)"

In this context these are Task Variables, it would be akin to creating the variable in the Variables section of the pipeline. What we have noticed in our testing is that isOutput will prepend the task name onto the variable, which was not terribly convenient for us, so we opted to not use isOutput.

In order to make the secrets available on linux we just exported those variables and were able to move forward with our pipeline.

Azure DevOps Variable secrets between tasks jobs issecret=true

2 Answers2