0

I want to pass PAT as pipeline parameter to script(gitlab.sh) that calls Gitlab REST API:

gitlab.sh

#!/bin/bash
set -e

MY_PAT="${MY_PAT}" #I want this to be secret and not printed in logs

function rest_api {
 curl -sSL -H "Content-Type: application/json" -H "PRIVATE-TOKEN:$MY_PAT" -X POST
   --data '{"name": "my-group","path": "my-group"}'
   https://gitlab.example.com/api/v4/groups 
}

rest_api

azure-pipelines.yml

    pool:
      vmImage: 'ubuntu-latest'
    parameters:
     - name: myPAT
      displayName: 'My PAT'
      type: string  
    
    steps:
    - checkout: self
    - script: |  
        echo "Creating group in Gitlab"
        export MY_PAT=${{parameters.myPAT}} #how can I pass this secretly to gitlab.sh
        bash -x gitlab.sh
      condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/feature'))
      displayName: 'Creating group in Gitlab'
S R
  • 674
  • 2
  • 18
  • 45

1 Answers1

1

If you want to set a secret you should use logging command as below

- bash: |
    echo "##vso[task.setvariable variable=MY_PAT;issecret=true]${{parameters.myPAT}}"
  name: SetSecret

On the next task you should have MY_PAT secret variable available. However, since you will pass it as runtime parameter it could be printed in the logs.

And for instance

parameters:
- name: myPAT
  displayName: 'My PAT'
  type: string

trigger: none
pr: none

pool:
  vmImage: 'ubuntu-latest'


steps:
- bash: |
    echo "You can use macro replacement to get secrets, and they'll be masked in the log: ${{parameters.myPAT}}"

- bash: |
    echo "##vso[task.setvariable variable=MY_PAT;issecret=true]${{parameters.myPAT}}"
  name: SetSecret

- bash: |
    echo "You can use macro replacement to get secrets, and they'll be masked in the log: $(MY_PAT)"

For first print I got:

You can use macro replacement to get secrets, and they'll be masked in the log: MySecret

and fot the second:

You can use macro replacement to get secrets, and they'll be masked in the log: ***

So passing secret via parameters you may expose it. Be aware of that.

I created a feature request to support runtime paramaters as secret here. Feel free to vote up if you consider this as valuable feature.

pool:
  vmImage: 'ubuntu-latest'
parameters:
 - name: myPAT
  displayName: 'My PAT'
  type: string  

steps:
- checkout: self
- bash: |
    echo "##vso[task.setvariable variable=MY_PAT;issecret=true]${{parameters.myPAT}}"
  name: SetSecret

- script: |  
    echo "Creating group in Gitlab"
    bash -x gitlab.sh
  condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/feature'))
  displayName: 'Creating group in Gitlab'
  env:
    MY_MAPPED_ENV_VAR: $(MY_PAT) # the recommended way to map to an env variable

and then you can use MY_MAPPED_ENV_VAR in you sh file as enviromnet variable

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • thanks but will setSecret be accessible in script file gitlab.sh; I have already tried with setting var as secret but that(MY_PAT) wasn't accessible – S R Dec 08 '20 at 11:23
  • You don't need to have setSecret accessible in sh file. In you case you need to add env mapping to have this value mapped as environment variable. – Krzysztof Madej Dec 08 '20 at 11:29
  • I have already tried setting in env var, that doesn't serve my purpose. May I please request you to revisit question? I want PAT to call REST API from script file – S R Dec 08 '20 at 11:35
  • Sorry I don't get it. All above should do the job. It sets env variable which you can access from file. Previously you set variable via export. However, did you try approach which I show you? As far as I'm aware `export` is not recommended approach for doing this. I did as above in the past and it was fine. – Krzysztof Madej Dec 08 '20 at 11:55
  • I got it now..thanks..so export secret variable is not recommended; is my understanding correct? – S R Dec 08 '20 at 12:02
  • Yeah. This is why there is mapping system created. @Wanderer Can you consider upvoting my reply if it was helpful for you? – Krzysztof Madej Dec 08 '20 at 12:16