1

When trying to read Secret variables that is setup in azure release pipeline, I got the following error.

The term 'SecretVariableName' is not recognized as the name of a cmdlet, function, script file or operable program. ....

I know the variable is 100% correct but none of the following ways help to read it. Other non-secret varaibles works just fine.

$myvar1 = $(SecretVariableName)
$myvar2 = "$(SecretVariableName)"
$myvar3 = $Env:SecretVariableName

All these DIDN'T work. Where SecretVariableName is a secret variable inside Release Pipeline.

As side note:

  1. For non-secret variables, it works just fine.
  2. Running as an inline script in the pipeline works as well.

The problem is when attempting to read the secret variable inside marketplace task that is used to create a vsix file and uploaded in visualstudio marketplace

How can I successfully access it?

Thanks,

Koref Koref
  • 300
  • 4
  • 13

2 Answers2

1

Secret variables are encrypted at rest with a 2048-bit RSA key. They are automatically masked out of any log output from the build or release.

Unlike a normal variable, they are not automatically decrypted into environment variables for scripts. You need to explicitly map secret variables.

Each task that needs to use the secret as an environment variable does remapping. If you want to use a secret variable called mySecret from a script, use the Environment section of the scripting task's input variables. Set the environment variable name to MYSECRET, and set the value to $(mySecret).

For details ,please view this official document. In addition, you can refer to this case with similar issue.

Update:

The following example shows how to use a secret variable called mySecret in a PowerShell script.

variables:
 GLOBAL_MYSECRET: $(mySecret) # this will not work because the variable needs to be mapped as env

steps:

- powershell: |
    # Using an input-macro:
    Write-Host "This works: $(mySecret)"

    # Using the mapped env var:
    Write-Host "This works: $env:MY_MAPPED_ENV_VAR"    # Recommended

  env:
    MY_MAPPED_ENV_VAR: $(mySecret) # right way to map to an env variable

You can also map secret variables using the variables definition. This example shows how to use secret variables $(vmsUser) and $(vmsAdminPass) in an Azure file copy task.

variables:
  VMS_USER: $(vmsUser)
  VMS_PASS: $(vmsAdminPass)    

steps:
- task: AzureFileCopy@4
  inputs:
    SourcePath: 'my/path'
    azureSubscription: 'my-subscription'
    Destination: 'AzureVMs'
    storage: 'my-storage'
    resourceGroup: 'my-rg'
    vmsAdminUserName: $(VMS_USER)
    vmsAdminPassword: $(VMS_PASS)

For examples, please refer to this.

Hugh Lin
  • 17,829
  • 2
  • 21
  • 25
  • Thanks for your response @hugh-lin-msft. The task you have on the left is Powershell and not marketplace task that is trying to access secret variables though. The ISSUE is when I publish the vsix file into the marketplace and then all lines that attempts to read secrets fail. See the error above. How can I approach it to access them? – Koref Koref Jun 09 '20 at 22:38
  • Tasks are implemented as code that executes on an agent machine. Tasks are **only** able to access secrets **explicitly** provided to them. You can refer to `Third-party build and release tasks` part in this [document](https://learn.microsoft.com/en-us/azure/devops/marketplace/trust?view=azure-devops). – Hugh Lin Jun 10 '20 at 09:48
  • @hugh-lin-msft Could you give me an example? In the doc,they mentioned secrets need to be mapped but they don't show where & how to do that to make it accessible in the script. – Koref Koref Jun 12 '20 at 19:42
  • Thanks @Hugn Lin -MSFT That is a yaml file still. This is what my task looks like. https://github.com/microsoft/vsts-extension-samples/tree/master/build-results-enhancer/src/Tasks/MyPlainTask1 Take a look PS script (MSBuild.ps1). This is where I would like access to the secret either from Release pipeline variables OR from previous Azure KeyVault task. If you see the execution element in task.json, that is where the Powershell script will be fed into and I don't know how to use yaml here. Hopefully the link provided will give you more context. – Koref Koref Jun 17 '20 at 05:44
  • have you had any luck with the secrets? – Eakan Gopalakrishnan Jun 13 '21 at 17:53
0

There isn't any documentation that I could find useful and spend days to figure this thing out on my own - trying so many things and suggessions with no success. I finally solved it on my own and hopefully will help someone else not to waste as much time as I did.


# This gets ALL Task Variables that you can access (including Secret variables)
$allTaskVariablesIncludingSecrets = Get-VstsTaskVariableInfo

# Convert it to json it to see whats available during your debugging - this is just for you to see whats available for you to access.
$allTaskVariablesIncludingSecrets | ConvertTo-Json
#that will give you array of objects with three properties (Name, Secret and Value) in this format:
# [
#     {
#         "Name":  "SecretVariableName",
#         "Secret":  true,
#         "Value":  "***"
#     },
#     {
#         "Name":  "NotSecretVar",
#         "Secret":  false,
#         "Value":  "Some stuff here"
#     }
# ]

# Since our objective is to get a hold of Secret varibales, lets filter them
$secVariables = $allTaskVariablesIncludingSecrets | Where-Object {$_.Secret -eq $true}
# If one of your Secret Variable is called 'SecretVariableName', here is how you access it
$mySecretVarObject = $secVariables |  Where-Object {$_.Name -eq "SecretVariableName"}
$mySecret = $($mySecretVarObject.Value)
# This will give display *** for the value but Length will show you the actual length. So you are good to use $mySecret in your script. You don't NEED to SEE the actual value.
Write-Host "Value: $mySecret and Length: $($mySecret.Length)"

# Simply use $mySecret the way you would any local variable. No special treatment or husle needed

https://bitbucket.org/ZelalemW/how-to-access-secrets-in-ado/src/master/

Koref Koref
  • 300
  • 4
  • 13
  • Welcome to Stack Overflow! While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes – Rayan Ral Jul 12 '20 at 06:55
  • I actually added the method call but it makes sense @RayanRal and added code snippet – Koref Koref Jul 12 '20 at 09:06