0

When requesting an access token with az account get-access-token ... in GitHub Actions, the output (e.g. accessToken) is masked, even in the raw logs.

How can I unmask the output, so that I'm able to inspect the values for PoC work?

.github/workflows/azure-login.yaml:

name: Run Azure Login with OIDC
on: [push]

permissions:
  id-token: write
  contents: read
jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: "Az CLI login"
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          allow-no-subscriptions: true
      - name: "Run az commands"
        run: |
          az account get-access-token --resource=${{ secrets.AZURE_CLIENT_ID }} --scope=api://${{ secrets.AZURE_TARGET_API }}/.default

Output:

enter image description here

Shuzheng
  • 11,288
  • 20
  • 88
  • 186
  • Does this answer your question? [How can I see my git secrets unencrypted?](https://stackoverflow.com/questions/63003669/how-can-i-see-my-git-secrets-unencrypted) – rickvdbosch Apr 24 '23 at 10:21

1 Answers1

1

I agree and Thanks to @rickvdbosch commented SO LINK answer by possan When I tried the below code with answer recommended by possan in above SO link to use xxd -ps to get the secrets the Access token got printed successfully, Refer below:-

Code:-

    runs-on: ubuntu-latest
    steps:

      # Checkout code
      - uses: actions/checkout@main

      # Log into Azure
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: "Run az commands"
        run: |
              access_token=$(az account get-access-token --resource=${{ secrets.AZURE_CLIENT_ID }} --scope=https://management.azure.com/.default --query accessToken -o tsv)
              echo "Access Token: $access_token" | xxd -ps

Output:-

enter image description here

Also, According to this SO answer By mclayton As long as you're authenticating with {{AZURE_CREDENTIALS}} stored in { and } in github secrets the value of secrets will be masked by default you need to convert the value into base64 or something else to view it.

By default Azure github action will mask the output of the secrets and Access token that is generated by the az account get-access-token command as a security measure:-

Code :-

on: [push]
name: Deploy ARM Template
jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:

      # Checkout code
      - uses: actions/checkout@main

      # Log into Azure
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: "Run az commands"
        run: |
              access_token=$(az account get-access-token --resource=${{ secrets.AZURE_CLIENT_ID }} --scope=https://management.azure.com/.default --query accessToken -o tsv)
              echo "Access Token: $access_token"

Output:-

enter image description here

SiddheshDesai
  • 3,668
  • 1
  • 2
  • 11