azure pipelines : accessing secret variables

Question

I am trying to access secret variable to pass it to another script.

I expect following code in pipeline to print Value but it prints some text 'xxx' ragardless of the value of a secret variable

echo xxx

Pipeline Snippet

steps:
  - bash: echo This script could use $SYSTEM_ACCESSTOKEN
    env:
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Answer 1

If you want to access a secret variable, you could print it to a file. Check the example below:

steps:
- powershell: |
   $env:var1 | Out-File C:\Users\xxx\Desktop\Newfolder\debug.txt


  displayName: 'PowerShell Script'
  env:
    var1: $(System.AccessToken)

But System.Accesstoken is a PAT token generated for the service identity “Project Collection Build Service (account)”, it's not needed to verify the value of System.AccessToken. In addition, if you want to print the value of System.AccessToken to a file, you need to check the Allow scripts to access the OAuth token in the agent job:

Answer 2

Updates:

If I save secret value to a file and publish that file as an artifact secret is visible in cleartext.

After speaking to my colleagues I have realized that all text in logs if it contains a secret value it will be masked.

It will interesting to see if I have 2 variables viz.

OPEN_VAR='something' # No Secret 

and

SECRET_VAR='something' # Values same as above but Secret 

if I print $OPEN_VAR ; does it mask value because "something" is also a value of "SECRET_VAR"

Answer 3

Azure pipelines will scan the output and mask the secret, you can simply split it up and print it in two parts. Here is a bash example:

  echo "${MY_SECRET:0:10}" # Print the first 10 characters
  echo "${MY_SECRET:10:100}" # Print character 11 - 100

You should of course only do it for debugging purposes and not leave it in your pipeline.

Answer 4

This is because SYSTEM_ACCESSTOKEN is a secret. If you do the same with variable which is not a secret you will be able to see value.