bash azure azure-devops azure-keyvault azure-pipelines-release-pipeline

Azure DevOps release pipeline - Variable Group as Azure Key Vault and bash script - inline vs file based

I have an Azure KeyVault that contains a secret, let's call it "test1".

I have an Azure DevOps release pipeline that runs 2 bash scripts. One inline, the other file based.

The inline script has no input argument, because it can handle the variable (secret) from the Variable Group (which is the Azure Key Vault) without it.

The file-based script has one input, which on the DevOps side is $(test1).

In the case of inline script:

echo "1" $test1
echo "2" test1
echo "3" "$test1"
echo "4" $(test1)
echo "5" ${test1}
echo "6" "$(test1)"
echo "7" "${test1}"

In the case of file based script:

test1=$1

echo "1" $test1
echo "2" test1
echo "3" "$test1"
echo "4" $(test1)
echo "5" ${test1}
echo "6" "$(test1)"
echo "7" "${test1}"

As you can see, the two scripts are identical.

Output from the inline script:

2024-01-26T09:45:29.0382744Z 1
2024-01-26T09:45:29.0384501Z 2 test1
2024-01-26T09:45:29.0385029Z 3 
2024-01-26T09:45:29.0385401Z 4 ***
2024-01-26T09:45:29.0385658Z 5
2024-01-26T09:45:29.0385948Z 6 ***
2024-01-26T09:45:29.0386188Z 7

Output from the file based script:

2024-01-26T09:45:28.6888518Z 1 ***
2024-01-26T09:45:28.6890152Z 2 test1
2024-01-26T09:45:28.6890863Z 3 ***
2024-01-26T09:45:28.7077227Z /d/a/r1/a/_secret/echo.sh: line 6: test1: command not found
2024-01-26T09:45:28.7104148Z 4
2024-01-26T09:45:28.7113476Z 5 ***
2024-01-26T09:45:28.7278287Z /d/a/r1/a/_secret/echo.sh: line 8: test1: command not found
2024-01-26T09:45:28.7287815Z 6 
2024-01-26T09:45:28.7289441Z 7 ***

Questions:

Why is the output different? One recognizes the variable this way, the other the other way. What is the difference, or what am I doing wrong?
Is there a possibility to use a file based script without input arguments for the secrets, which either come from Variable Group or from "Azure Key Vault" agent job.

Solution

For 1st query, this is because file-based scripts do not replace $(VARIABLE) placeholder, but it can read the argument you passed: echo $(args). Here you used same named test1(argument) for test1 secret.

For the 2 query, to use a file based script without input arguments for the secrets, you can map the secret variable as environment.

And output the environment instead in bash file. You cannot output $TEST1.

The output:

In addition, in Azure Key valut task, you can choose the option below so that the secret variable can be exposed all tasks in the job.

If you use Variables groups which links to the key valut variable, make sure the scope is on release, or correct stage, and not override in the previous tasks in the job, so that secret variable can be mapped to environment.