I'm attempting to retrieve and then write a secret / key for a Azure Machine Learning Endpoint to a key vault, as part of a deployment pipeline in Azure Devops. The code below works and uploads the key successfully. However, as part of the Devops pipelines it prints the secret to the run log. This means that if someone can read the Devops log they can get the key. No so very secret anymore.
- task: AzureCLI@2
displayName: Add key to Function App keyvault
inputs:
azureSubscription: azsub
scriptType: bash
scriptLocation: inlineScript
inlineScript: >-
secret=$(az ml online-endpoint get-credentials -n name -g group -w workspace} -o tsv --query primaryKey);
az keyvault secret set --vault-name keyvault --name keyname --value $secret
This runs but prints to the pipeline logs
{
"attributes": {
"created": timeStamp,
"enabled": true,
"expires": null,
"notBefore": null,
"recoverableDays": 90,
"recoveryLevel": "Recoverable+Purgeable",
"updated": timeStamp
},
"contentType": null,
"id": "id",
"kid": null,
"managed": null,
"name": "name",
"tags": {
"file-encoding": "utf-8"
},
"value": the now not so secret, secret!.
}
I've tried assigning the az keyvault secret set output to a label i.e. success = $(az keyvault secret set ...). which prevents printing. However, as I'm fairly new to DevOps pipelines I'm not sure if this information in success is accessible anywhere.
If anyone could inform me of the proper way to us az keyvault secret set in the Azure CLI so it doesn't print out or store the secret that would be very appreciated.
Try setting the command output to none by adding “--output none”. It suppresses everything except warnings and errors.
https://learn.microsoft.com/en-us/cli/azure/format-output-azure-cli
So in your case: az keyvault secret set --vault-name keyvault --name keyname --value $secret --output none