Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Correct way to use secret variable in PowerShell script

Tags:

What is the correct way to use a secret variable in a PowerShell script? It may be a pipeline variable, a variable group one, or a variable brought in from an Azure Key Vault task. I have seen in the documentation that it cannot be used in the same way as a normal (non-secret) variable. It says "Instead, we suggest that you map your secrets into environment variables." and "You need to explicitly map secret variables." I have used an environment variable and it works. Are there other ways to do it? This blog says you can use it directly in the script, which seems to contradict the MS document. This one passes the variable as an argument or parameter to the scripts. Does anyone know what is actually going on behind the scenes?

like image 847
AirAzure Avatar asked Feb 23 '20 21:02

AirAzure


1 Answers

have seen in the documentation that it cannot be used in the same way as a normal (non-secret) variable. It says "Instead, we suggest that you map your secrets into environment variables." and "You need to explicitly map secret variables."

The doc is misunderstood, it's not saying the secret variables cannot be used in the same way as a normal variable, instead, it says it's not suggested to pass secrets on the command line directly since some operating systems log command line arguments which could cause information leakage as mentioned, and it's suggested to map your secrets into environment variables.

This blog says you can use it directly in the script, which seems to contradict the MS document.

As mentioned above, the secrets can be used directly in the script although it's not suggested, so they are not contradictory.

You can also check the example in the MSDN doc:

steps:

- powershell: |
    # Using an input-macro:
    Write-Host "This works: $(mySecret)"

    # Using the env var directly:
    Write-Host "This does not work: $env:MYSECRET"

    # Using the mapped env var:
    Write-Host "This works: $env:MY_MAPPED_ENV_VAR"    # Recommended
  env:
    MY_MAPPED_ENV_VAR: $(mySecret)

and you will see in the first line of the powershell script, the secret variable is used directly in the command.

In conclusion, i suggest we should follow the MSDN doc, map your secrets into environment variables and then use them.

like image 74
Yang Shen - MSFT Avatar answered Oct 12 '22 23:10

Yang Shen - MSFT