Search code examples
azure-devopsazure-pipelinesgitlab-api

Azure pipeline parameter as secret variable

I want to pass PAT as pipeline parameter to script(gitlab.sh) that calls Gitlab REST API:

gitlab.sh

#!/bin/bash
set -e

MY_PAT="${MY_PAT}" #I want this to be secret and not printed in logs

function rest_api {
 curl -sSL -H "Content-Type: application/json" -H "PRIVATE-TOKEN:$MY_PAT" -X POST
   --data '{"name": "my-group","path": "my-group"}'
   https://gitlab.example.com/api/v4/groups 
}

rest_api

azure-pipelines.yml

    pool:
      vmImage: 'ubuntu-latest'
    parameters:
     - name: myPAT
      displayName: 'My PAT'
      type: string  
    
    steps:
    - checkout: self
    - script: |  
        echo "Creating group in Gitlab"
        export MY_PAT=${{parameters.myPAT}} #how can I pass this secretly to gitlab.sh
        bash -x gitlab.sh
      condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/feature'))
      displayName: 'Creating group in Gitlab'
Solution

  • If you want to set a secret you should use logging command as below

    - bash: |
    echo "##vso[task.setvariable variable=MY_PAT;issecret=true]${{parameters.myPAT}}"
  name: SetSecret

    On the next task you should have MY_PAT secret variable available. However, since you will pass it as runtime parameter it could be printed in the logs.

    And for instance

    parameters:
- name: myPAT
  displayName: 'My PAT'
  type: string

trigger: none
pr: none

pool:
  vmImage: 'ubuntu-latest'


steps:
- bash: |
    echo "You can use macro replacement to get secrets, and they'll be masked in the log: ${{parameters.myPAT}}"

- bash: |
    echo "##vso[task.setvariable variable=MY_PAT;issecret=true]${{parameters.myPAT}}"
  name: SetSecret

- bash: |
    echo "You can use macro replacement to get secrets, and they'll be masked in the log: $(MY_PAT)"

    For first print I got:

    You can use macro replacement to get secrets, and they'll be masked in the log: MySecret

    and fot the second:

    You can use macro replacement to get secrets, and they'll be masked in the log: ***

    So passing secret via parameters you may expose it. Be aware of that.

    I created a feature request to support runtime paramaters as secret here. Feel free to vote up if you consider this as valuable feature.

    pool:
  vmImage: 'ubuntu-latest'
parameters:
 - name: myPAT
  displayName: 'My PAT'
  type: string  

steps:
- checkout: self
- bash: |
    echo "##vso[task.setvariable variable=MY_PAT;issecret=true]${{parameters.myPAT}}"
  name: SetSecret

- script: |  
    echo "Creating group in Gitlab"
    bash -x gitlab.sh
  condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/feature'))
  displayName: 'Creating group in Gitlab'
  env:
    MY_MAPPED_ENV_VAR: $(MY_PAT) # the recommended way to map to an env variable

    and then you can use MY_MAPPED_ENV_VAR in you sh file as enviromnet variable