1

While using runtime parameters in Azure DevOps build pipeline, is there a way to mask the values of the parameters in pipeline logs ?

Based on my research and going through the documentation, there does not seem to be a way to achieve this (at the time of writing this). There are alternatives like using variable groups/secret variables but since the parameter values are user provided and would change for each pipeline trigger, such options are not ideal.

If the parameters values cannot be masked, can we turn off pipeline logs altogether?

Vineet Desai
  • 872
  • 5
  • 16

1 Answers1

0

During our tests, we tried to define a variable as secret with the same value to the parameter, and in the pipeline logs, the value of the parameters could not be echoed anymore.

enter image description here enter image description here enter image description here

Even though the value is still observed in the ui triggering. So for further secure setting, we suppose that you could set more specific permission for the pipeline or the yaml repo, to limit the accessibility. And you could also create a Feature Request to raise your concern with more developers.

enter image description here

==========================================================

11/7 4:20PM UTC+8 Update.

Hi Vineet, If you are going to hide the logs, you could try to limit the accessibility for the pipeline builds. Even though it could not be achieved directly via UI setting. enter image description here enter image description here

Ceeno Qi-MSFT
  • 924
  • 1
  • 3
  • 5
  • Thanks for the reply. Yes it does mask for the stage, but the parameters are still logged in plain text at the job level. If you look at the logs for "Job" and expand "Parent pipeline used these parameters" you still see the parameters in plain text. That's why I was wondering if we can turn off logging altogether if we can't prevent this behavior. – Vineet Desai Nov 07 '22 at 06:13
  • @VineetDesai, you could check my latest update. – Ceeno Qi-MSFT Nov 07 '22 at 08:28
  • Thanks for adding details around pipeline permissions. So is it correct to assume that there is no way to turn off pipeline logging ? – Vineet Desai Nov 07 '22 at 10:48
  • @VineetDesai Hi Vineet, after the investigations and referencing, we suppose it's not achievable to turn off the pipeline logs currently. You could start a [feature request ticket](https://developercommunity.visualstudio.com/AzureDevOps/suggest?) to raise your concern with more developers. The product team will look into the requirement and take it into consideration for update release. – Ceeno Qi-MSFT Nov 08 '22 at 01:36
  • Thank you. Marking this answer as accepted as it is well explained and there seems to be no other way to achieve the goal mentioned in the question. Will also raise a feature request. – Vineet Desai Nov 08 '22 at 14:02
  • @VineetDesai We are also trying to achieb=ve the same thing you tried and didnt get any solution. Did you get any solution on this? https://stackoverflow.com/questions/76493223/how-to-create-azurekeyvault-secrets-dynamically-by-masking-the-values/76506033?noredirect=1#comment134911643_76506033 – vyshakh Jun 21 '23 at 18:39