3

is it possible to retrieve an AzDO Library server variable and output to plain text using a Powershell task? I know we can output the variable to a text file but my use case requires PS script but have found no way to achieve it.

I have seen this and this and, with some modifications, it is possible to retrieve passwords and Azure keyvault secrets as plain text, but it does not work with an AzDO secret.

I have mostly been trying with a variation of this but the new "non-secret" variable remains asterisked:

$SecurePassword = ConvertTo-SecureString $(testStringSecret) -AsPlainText -Force
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
try {$secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)}
finally {[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)}

Has anybody managed to it, and if so, are you able to provide details on what you did please?

Thanks in advance.

Improve this question
4
  • Before your attempts to change it to plain text, what is the TypeName given If you pipe the variable to Get-Member? Commented Jul 9, 2021 at 17:39
  • @BoogaRoo When I piped it, it was showing as a regular string, hence my need to convert to secure string at the very beginning. Commented Jul 9, 2021 at 18:08
  • If it's coming to you as asterisks and it's a plain string, no amount of converting to secure strings and back can "recover" it. I think you'll have to find a way to get it out of Azure unmasked. Commented Jul 9, 2021 at 19:31
  • If you your secret is masked - I mean printed as ******. That's fine. It is still plain text but it masked the value on streaming it to logs to be sure that it is not revealed. Commented Jul 10, 2021 at 9:27

3 Answers 3

Reset to default
4

I assume that by the output you mean a pipeline log.

A simple answer is no, you can't do that.

ADO has a filter in the log pre-processor to filter out your secrets. Once the secret is saved as a secret, you can't retrieve it as a plain text in UI either.

But...

...you can get creative. Something like this:

$secret = 'YourSecret'; for($i = 0; $i -lt $secret.Length; $i++){Write-Host "$($secret[$i])"}

With text output:

Y
o
u
r
S
e
c
r
e
t

Replace the variable $secret with the secret ID which you want to display as a plain text and you are good to go.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

I attempted to improve the readability of @KUTlime's suggestion/hack by changing the output to horizontal. The variable '$secret' in my example should contain the secret retrieved from the keyVault.

$secret = "fOoBaR"
Remove-Variable joined -Force -Confirm:$false -ErrorAction SilentlyContinue
for($i = 0; $i -lt $secret.Length; $i++){
    if ($joined) {$joined = $($joined+" "+$($secret[$i]))}
    else {$joined = $($secret[$i])}
}
Write-output "Secret: >$($joined)<"

Outputs:

Secret: >f O o B a R<

The angle brackets are there to reveal potential space characters trailing the 'secret'.

Improve this answer

Comments

0

Secrets filtering in ADO is case sensetive, so if you need to see a secret just for visibility, you can use simple PS method "ToUpper" (or "ToLower"):

"$(Secret)".ToUpper()

Or you can replace a single char in your secret to opposite case.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.