1

I'm using Azure DevOps Release pipeline which has next steps:

  • Download KeyVault secrets
  • Invoke Console App with correct parameters

Downloading of KeyVault secrets works fine and I can confirm that they are available by using $(Key1) where Key1 is actual key stored in KeyVault secrets.

Now, what I want is to loop against list of the secrets (simple text file with keys separated by comma) and append them to a console app parameter, but I fail to retrieve Azure DevOps pipeline variable with PowerShell variable.

$keyVaultVariables can be Key1,Key2,Key3 which corresponds to the keys stored in KeyVault, meaning that when I'm calling $($kvVar) is should get value of the secret with the key. What I get is just key, but no value.

$keyVaultList = $keyVaultVariables -split ','
$stringReplacementValues = ""

foreach($kvVar in $keyVaultList)
{ 
    $val = $($kvVar)
    Write-Host $val
    $stringReplacementValues = $stringReplacementValues + "$kvVar|$val;" 
}

Write-Host $stringReplacementValues

What am I doing wrong?

Improve this question
1
  • You need to explicitly map secrets as environment variables. Refer to the documentation for instructions on how to do that. Commented Feb 8, 2023 at 16:33

1 Answer 1

Reset to default
1

What you want cannot be done this way. It's a security feature.

Secrets can only be iterated through the task-sdk from a custom task. Any script or existing task that doesn't have this functionality needs to have these values passed in through an input or the environment or through inlining the value in the script directly. This is a security feature to prevent say a roque npm package from extracting all of the secrets from a pipeline.

If you move your functionality into a custom task, it could access the secrets.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Interesting - I never considered this to be security risk, but it makes sense. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.