According to the documentation, one can split the secrets and output substrings:
We make an effort to mask secrets from appearing in Azure Pipelines
output, but you still need to take precautions. Never echo secrets as
output. Some operating systems log command line arguments. Never pass
secrets on the command line. Instead, we suggest that you map your
secrets into environment variables.
We never mask substrings of secrets. If, for example, "abc123" is set
as a secret, "abc" isn't masked from the logs. This is to avoid
masking secrets at too granular of a level, making the logs
unreadable. For this reason, secrets should not contain structured
data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar"
isn't masked from the logs.
Here is an example in bash, which can potentially be transferred to Powershell:
- task: Bash@3
inputs:
targetType: inline
script: |
# let's say the secret is Passw0rd
# Direct output is masked:
echo $MYSECRET
# OUTPUTS "***"
# Concatenated output is masked:
echo "ABC$MYSECRET DDD"
# outputs "ABC*** DDD"
# Experimenting with substrings:
firstPart=${MYSECRET::-2}
secondPart=${MYSECRET: -2}
# Substrings are displayed:
echo $firstPart
# outputs "Passw0"
echo $secondPart
# outputs "rd"
# Substrings concatenated with other strings are displayed:
echo "$firstPart-$secondPart"
# outputs "Passw0-rd"
# Directly concatenated substrings are masked:
echo "$firstPart$secondPart"
# outputs "***"
# Secrets can be written to a file:
echo "$MYSECRET" > test.txt
# Secrets are even masked when being displayed as part of a file:
cat test.txt
# outputs "***"
env:
MYSECRET: $(my_secret) # This is defined in a variable group
- task: PublishPipelineArtifact@1
inputs:
targetPath: 'test.txt' # This pipeline artifact contains the secret unmasked
artifact: 'TestArtifact'
publishLocation: 'pipeline'
displayName: 'Publish PipelineRunData artifact'
We therefore have two options to get the secret:
- Output the secret partially and concatenate manually
- Download pipeline artifact
Probably not ideal from a security perspective, but it is extremely important to understand the limitations of the system: Whoever has access to modifying a pipeline can potentially get access to the secrets used by the pipeline.