Azure DevOps Pipeline failure because of secret password with special characters

6
votes

I am building a project server solution with azure devops.

In my release pipeline I have multiple powershell scripts that requre user credentials as parameters. The password is saved in a secret variable in DevOps and contains a single quote.

Password: abcd'efgh

This leads to the pipeline throwing an error: "The string is missing the terminator: '."

When I hard code the password into the pipeline with double quotes the script executes perfectly.

Argument: -password "abcd'efgh"

When I put the DevOps secret variable in double quotes the script executes, but gives me an error when trying to authenticate at the server, possible because the password that is passed is "***".

Argument: -password "$(passwordVariable)"

Here is the relevant part of the script that is being executed by the pipeline. Any help is greatly appreciated.

param(
  $siteUrl,
  $username,
  $password
)
$encpassword = convertto-securestring -String $password -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Connect-PnPOnline -Url $siteUrl -Credentials $cred

How do I get the password into the script?

1
azure-devopsazure-pipelines
Take a look at this extension: marketplace.visualstudio.com/… this might be usefulAmit Baranes
@redleo85 I am facing this exact same situation. Did you ever get this resolved (without the use of a marketplace extension)?Mike
I have the same problem with an @ symbol. "[email protected]" is converted to "***". If I remove domain info, it is fine, "myname" remains "myname".Mike Williamson

1 Answers

1
votes

The problem you are facing is that $(passwordVariable) variable reference is expanded in the script body, before it is executed by Powershell. This means that Powershell sees the variable value and interprets special characters in it. You could prepend all the special characters with Powershell escape char (`), but that's not very elegant.

A safer way of accessing variables in scripts is via env variables - each variable you set in your pipeline creates an environment variable (The name is upper-cased, and the . is replaced with the _).

For a regular (non-encrypted) variable, you would have:

Do-Something -password "$($env:PASSWORDVARIABLE)"

For secret (encrypted) variables, you have to explicitly map them to script's env variables. In a classic pipeline, use Environment section. In yaml, it would look like this:

- pwsh: |
    Do-Something -Password $($env:MAPPED_PASSWORD)
  env:
    MAPPED_PASSWORD: $(passwordVariable)

One caveat: don't prefix mapped variables with SECRET_ - it won't work, because this prefix is used by DevOps internally.