无法在发布管道中打印Azure-Keyvault机密 [英] Not able to print the Azure-Keyvault secret in the release pipeline

问题描述

我正在尝试使用以下代码从发布管道中检索Azure-Key保管库密钥.但是我无法使用下面的代码

I am trying the below code to retrieve the Azure-Key vault secret from the release pipeline. But I am not able to print the exact string using the below code

(Get-AzKeyVaultSecret -vaultName "keyvalultname" -name "Password").SecretValueText
$Password= (Get-AzKeyVaultSecret -vaultName "keyvalultname" -name "Password").SecretValueText
$Password
Write-Output 'DBPassword is $Password'
Write-Host 'DBPassword is $Password'

if ($Password-eq "Password01")
{
   Write-Host "1"
}
else
{
   Write-Host "0"
}

Write-Host $($Password.Username)

在以上代码中的任何地方，我都没有获得值"Password01".但是我可以在IF条件下打印1.

Nowhere in the above code, I am getting the value "Password01". But I am able to print 1 in the IF condition.

我得到的输出如下

2019-12-09T14:01:45.9967410Z ***
2019-12-09T14:01:45.9972871Z DBPassword is $Password
2019-12-09T14:01:45.9984181Z DBPassword is $Password
2019-12-09T14:01:45.9992966Z 1
2019-12-09T14:01:46.0026811Z 
2019-12-09T14:01:46.0030953Z 

推荐答案

这是Azure DevOps行为，用于掩盖机密变量而不打印日志中的值，请参见

This is Azure DevOps behavior, to mask secret variables and not print the values in the logs, see here:

我们努力掩盖秘密，防止它们出现在Azure Pipelines中 输出，但不是防弹的.切勿将机密作为输出输出.一些 操作系统记录命令行参数.永远不要传递秘密 命令行.相反，我们建议您将您的秘密映射到 环境变量.

We make an effort to mask secrets from appearing in Azure Pipelines output, but it's not bulletproof. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.

我们将永远不会掩盖秘密的子字符串.例如，如果是"abc123" 如果设置为机密，则不会从日志中屏蔽"abc".这是为了 避免以太细微的程度掩盖机密，使日志 无法读取.因此，机密不应该包含结构化的 数据.例如，如果将"{{foo":"bar"}"设置为机密，则"bar" 不会被日志遮盖.

We will not ever mask substrings of secrets. If, for example, "abc123" is set as a secret, "abc" will not be masked from the logs. This is to avoid masking secrets at too granular of a level, making the logs unreadable. For this reason, secrets should not contain structured data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar" will not be masked from the logs.

如果将其打印为字符，则可以垂直打印该值:

You can print the value vertically if you print them as chars:

$Password.ToCharArray()

这篇关于无法在发布管道中打印Azure-Keyvault机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！