2

is it possible to retrieve an AzDO Library server variable and output to plain text using a Powershell task? I know we can output the variable to a text file but my use case requires PS script but have found no way to achieve it.

I have seen this and this and, with some modifications, it is possible to retrieve passwords and Azure keyvault secrets as plain text, but it does not work with an AzDO secret.

I have mostly been trying with a variation of this but the new "non-secret" variable remains asterisked:

$SecurePassword = ConvertTo-SecureString $(testStringSecret) -AsPlainText -Force
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
try {$secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)}
finally {[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)}

Has anybody managed to it, and if so, are you able to provide details on what you did please?

Thanks in advance.

Clumsyhands
  • 131
  • 2
  • 9
  • Before your attempts to change it to plain text, what is the TypeName given If you pipe the variable to `Get-Member`? – Booga Roo Jul 09 '21 at 17:39
  • @BoogaRoo When I piped it, it was showing as a regular string, hence my need to convert to secure string at the very beginning. – Clumsyhands Jul 09 '21 at 18:08
  • If it's coming to you as asterisks and it's a plain string, no amount of converting to secure strings and back can "recover" it. I think you'll have to find a way to get it out of Azure unmasked. – Booga Roo Jul 09 '21 at 19:31
  • If you your secret is masked - I mean printed as `******`. That's fine. It is still plain text but it masked the value on streaming it to logs to be sure that it is not revealed. – Krzysztof Madej Jul 10 '21 at 09:27

2 Answers2

3

I assume that by the output you mean a pipeline log.

A simple answer is no, you can't do that.

ADO has a filter in the log pre-processor to filter out your secrets. Once the secret is saved as a secret, you can't retrieve it as a plain text in UI either.

But...

...you can get creative. Something like this:

$secret = 'YourSecret'; for($i = 0; $i -lt $secret.Length; $i++){Write-Host "$($secret[$i])"}

With text output:

Y
o
u
r
S
e
c
r
e
t

Replace the variable $secret with the secret ID which you want to display as a plain text and you are good to go.

KUTlime
  • 5,889
  • 1
  • 18
  • 29
2

I attempted to improve the readability of @KUTlime's suggestion/hack by changing the output to horizontal. The variable '$secret' in my example should contain the secret retrieved from the keyVault.

$secret = "fOoBaR"
Remove-Variable joined -Force -Confirm:$false -ErrorAction SilentlyContinue
for($i = 0; $i -lt $secret.Length; $i++){
    if ($joined) {$joined = $($joined+" "+$($secret[$i]))}
    else {$joined = $($secret[$i])}
}
Write-output "Secret: >$($joined)<"

Outputs:

Secret: >f O o B a R<

The angle brackets are there to reveal potential space characters trailing the 'secret'.

sabo-fx
  • 462
  • 4
  • 6