8

What is the correct way to use a secret variable in a PowerShell script? It may be a pipeline variable, a variable group one, or a variable brought in from an Azure Key Vault task. I have seen in the documentation that it cannot be used in the same way as a normal (non-secret) variable. It says "Instead, we suggest that you map your secrets into environment variables." and "You need to explicitly map secret variables." I have used an environment variable and it works. Are there other ways to do it? This blog says you can use it directly in the script, which seems to contradict the MS document. This one passes the variable as an argument or parameter to the scripts. Does anyone know what is actually going on behind the scenes?

Improve this question
2
  • 2
    " I have seen in the documentation" - what documentation? :) Please provide a link Commented Feb 23, 2020 at 23:41
  • here is the documentation. It's about Azure Pipelines. Commented Feb 24, 2020 at 5:52

1 Answer 1

Reset to default
9

have seen in the documentation that it cannot be used in the same way as a normal (non-secret) variable. It says "Instead, we suggest that you map your secrets into environment variables." and "You need to explicitly map secret variables."

The doc is misunderstood, it's not saying the secret variables cannot be used in the same way as a normal variable, instead, it says it's not suggested to pass secrets on the command line directly since some operating systems log command line arguments which could cause information leakage as mentioned, and it's suggested to map your secrets into environment variables.

This blog says you can use it directly in the script, which seems to contradict the MS document.

As mentioned above, the secrets can be used directly in the script although it's not suggested, so they are not contradictory.

You can also check the example in the MSDN doc:

steps:

- powershell: |
    # Using an input-macro:
    Write-Host "This works: $(mySecret)"

    # Using the env var directly:
    Write-Host "This does not work: $env:MYSECRET"

    # Using the mapped env var:
    Write-Host "This works: $env:MY_MAPPED_ENV_VAR"    # Recommended
  env:
    MY_MAPPED_ENV_VAR: $(mySecret)

and you will see in the first line of the powershell script, the secret variable is used directly in the command.

In conclusion, i suggest we should follow the MSDN doc, map your secrets into environment variables and then use them.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks. I agree, I misread the document. I had a day of testing where my script failed to read the variables expressed as macros. In the log it said the variable is undefined. After re-reading and testing, I conclude that encrypted variables are treated in the same way, except that they are not automatically mapped into environment variables.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.