An article on how to expose secret values in Azure DevOps
You already know by now about the paradox of security in general. You can secure anything as long as the protected object is beyond the reach of a potential attacker. Let me explain this a bit. Your laptop is secure while it is in your possession; when it leaves your hands, its security can be compromised. Your system can be secured almost 100% against external threats, but this percentage is drastically lower when securing against inside threats. This applies also to Azure DevOps and the secret values options that we have here. If the secret is needed in pipeline interactions, there is at least one way to expose it.
Context
Let’s create the scene for this short experiment:
- Create 2 variables SECRET_VAR_1 (value: secretvar1) and SECRET_VAR_2 (value:secretvar2)
- Mark them as secret
- Save the setup
Some scripting magic
Let’s try a simple echo:
- task: Bash@3
displayName: “Expose the secret vars”
inputs:
targetType: ‘inline’
script: |
secret1=$(SECRET_VAR_1)
secret2=$(SECRET_VAR_2)
echo “Here is the Secret1 value:”
echo $secret1
echo “Here is the Secret2 value:”
echo $secret2
And the output:
Now we know that you can not simply echo a secret because you will get ***, so how about some splits :D
Let’s see it in PowerShell:
- task: PowerShell@2
displayName: “Expose the secret vars”
inputs:
targetType: ‘inline’
script: |
$Secret1 = $env:SECRET1
$Secret2 = $env:SECRET2
Write-Host “Here is the Secret1 value:”
$Secret1.ToCharArray()
Write-Host “Here is the Secret2 value”
$Secret2.ToCharArray()
env:
SECRET1: $(SECRET_VAR_1)
SECRET2: $(SECRET_VAR_2)
And the output:
How about some Bash:
- task: Bash@3
displayName: “Expose the secret vars bash”
inputs:
targetType: ‘inline’
script: |
echo “Here is the Secret1 value:”
echo “$(SECRET_VAR_1)” | sed -e ‘s/\(.\)/\1\n/g’
echo “Here is the Secret2 value:”
echo “$(SECRET_VAR_2)” | sed -e ‘s/\(.\)/\1\n/g’
And the output:
Tadaa!!! And those are just some working examples. Each time you split your secret and put it back together vertically, with spaces or with special characters as delimiters, you can expose it and thus read it.
No secret in that! (pun intended)
Short disclaimer
The fact that we can expose a secret variable here, does not make us hackers. Remember that! The functionality of secrets in most CI/CD systems is to have clean shareable logs, and not hide values from you, the admin, ops, or sysadmin. That would be crazy, right? :P
Before you leave…
I hope you enjoyed this exercise as I loved writing it! Remember that if you can touch it, you can know it. Stay tuned, follow, subscribe, share, leave a comment, and be as social as possible for the sake of the Social Media Gods! Will sign out now, and have a coffee offline :P
My one secret to share… was originally published in ING Hubs Romania on Medium, where people are continuing the conversation by highlighting and responding to this story.
