Build and release variables enable us to inject configuration data into our pipelines. Some variables are pre-defined by the system, some are custom defined by us, and some are secret. Secret variables are encrypted at rest with a 2048-bit RSA key and automatically masked out of any log output from the pipeline. The masking is the "gotcha" we'll discuss today.

But first, where do the secret variables come from?

Secret variables

Manually changed to secret

Secret release variable
You can click on the Lock (lock) to change a build or release variable to secret, which stores it securely on the server and ensures that it cannot be viewed by users.

Azure Key Vault task

The Azure Key Vault task, which we introduced in Tokenise your VSTS pipeline the easy way!, task retrieves the secrets from the vault and stores them in temporary secret variables.

The values of hidden (secret) variables are stored securely on the server and cannot be viewed by users after they are saved. During a deployment, the Release Management service decrypts these values when referenced by the tasks and passes them to the agent over a secure HTTPS channel.

Secret variable flow

Let's walk through parts of our release pipeline and observe the secret variables.

secret value flow

  1. We configure a secret release variable named PROJECT.
  2. We run the Azure Key Vault task, which retrieves three secrets (magicvalue, secretvaluedev, secretvaluesystemtest) and creates a temporary secret release variable for each.
  3. The Azure App Service Deploy task substitutes magicvalue appsettings key with the value of the secret magicvalue using XML variable substitution option. This is an out-of-the-box feature!
  4. The Replace Tokens task replaces the __PROJECT__ token in the SetParameters.DEV.xml file with the value of the secret release variable PROJECT.
  5. The Replace Tokens task replaces the __secretvaluedev__ token in the SetParameters.DEV.xml file with the value of the temporary secret release variable secretvaluedev.
  6. The Azure App Service Deploy task substitites environment and secretvalue appsettings keys with the values defined in the SetParameters.DEV.xml file. For the System Test environment, we would tokenize the SetParameters.ST.xml file and replace the __secretvaluesystemtest__ token.

Using secret variable in your pipeline is simple!

GOTCHA! Where's the secret value?

You may remember the Use Cmd Type to troubleshoot your VSTS pipeline tokenisation post, which shows a simple way of dumping your configuration files before and after tokenisation for troubleshooting.

Command Line Output

Notice anything weird? Remember "secret variables are automatically masked out of any log output from the pipeline?" Yup, VSTS agent will mask out cat, type, echo, or anything that writes to the log that has a value matching the value of the secret. Therefore the value of secretvalue is masked to ***

This PowerShell script helps us validate the tokenisation.

$c = (gc SampleWebApplication.SetParameters.DEV.xml | Select-String $(PROJECT)).count
if ($c -eq 0) { Write-Host "Can't find secret value in file" }
else { Write-Host "Secret value found!" }

PowerShell Result

For the curious, let's cat the web.config file to verify that the secret variables made it to production.

Web.config

Enjoy using secret variables in your pipelines!

Special Thanks

THANK YOU Colin Dembovsky for the nifty PowerShell script and gently reminding me that secret variables are secret everywhere :)