0

I am trying the below code to retrieve the Azure-Key vault secret from the release pipeline. But I am not able to print the exact string using the below code 

(Get-AzKeyVaultSecret -vaultName "keyvalultname" -name "Password").SecretValueText
$Password= (Get-AzKeyVaultSecret -vaultName "keyvalultname" -name "Password").SecretValueText
$Password
Write-Output 'DBPassword is $Password'
Write-Host 'DBPassword is $Password'

if ($Password-eq "Password01")
{
   Write-Host "1"
}
else
{
   Write-Host "0"
}

Write-Host $($Password.Username)

Nowhere in the above code, I am getting the value "Password01". But I am able to print 1 in the IF condition.

The output I got is given below

2019-12-09T14:01:45.9967410Z ***
2019-12-09T14:01:45.9972871Z DBPassword is $Password
2019-12-09T14:01:45.9984181Z DBPassword is $Password
2019-12-09T14:01:45.9992966Z 1
2019-12-09T14:01:46.0026811Z 
2019-12-09T14:01:46.0030953Z
Shayki Abramczyk
  • 36,824
  • 16
  • 89
  • 114
mystack
  • 4,910
  • 10
  • 44
  • 75
  • 1
    Why are you trying to do this? If you need to know the value of a keyvault secret, look at the keyvault. If you don't have access, then ask for it. If you can't get access, maybe you're not supposed to be able to look at the secret value? – Daniel Mann Dec 09 '19 at 15:13
  • On a slight tangent, the reason why the `Write-Output` and `Write-Host` calls return `DBPassword is $Password` instead of `DBPassword is Password01` or indeed `DBPassword is ***` is that single quoted strings are _verbatim_ strings meaning expressions are not evaluated. Use double quotes instead. See [about_quoting_rules](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules). – Will Feb 18 '21 at 12:45

1 Answers1

2

This is Azure DevOps behavior, to mask secret variables and not print the values in the logs, see here:

We make an effort to mask secrets from appearing in Azure Pipelines output, but it's not bulletproof. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.

We will not ever mask substrings of secrets. If, for example, "abc123" is set as a secret, "abc" will not be masked from the logs. This is to avoid masking secrets at too granular of a level, making the logs unreadable. For this reason, secrets should not contain structured data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar" will not be masked from the logs.

You can print the value vertically if you print them as chars:

$Password.ToCharArray()
Shayki Abramczyk
  • 36,824
  • 16
  • 89
  • 114
  • 1
    If you want to print secrets horizontally, the following command can be used: $singleLineSecret = $secret.ToCharArray() -join '' – Utku A. Jan 21 '21 at 13:26