How to expose secret variables in Azure DevOps

Posted by Nikos Tsirmirakis on

Variables are used to parametrise deployment in Azure DevOps pipelines. Occasionally for troubleshooting purposes, we have to check if variables are correct. With plain text variables, it is not a problem however with secret variables it is more complicated. In this post, we will run a pipeline with PowerShell step to expose it

Variable

First, we will create two variables as part of our release pipeline.

Variable name Variable value
plain_text_variable plaintextvariable
secret_variable secretvariable

When we change a variable to the secret one, it becomes masked in Azure DevOps portal. As result, we do not have access to the plain text version of it any more. The PowerShell script run in the pipeline can be used to expose secret variable. Below is the pipeline to achieve it.

Variables

Pipeline

Now we create a single pipeline step with a PowerShell task to run following inline script.

 
$secret = $env:secret

Write-Host "plain_text_variable: $($env:plain_text_variable)"

Write-Host "secret_variable: $($secret)"

Write-Host "vertical secret_variable:"

$secret.ToCharArray()
                

The secret variable is masked in a log however we are able to manipulate the variable string within the PowerShell script and output it vertically. To allow the script to refer to a secret variable we have to map it in the “Environment Variables” section.

PowerShell task in pipeline

Congratulations!

After a successful run of a pipeline, we can see a secret variable displayed vertically in plain text.

Secret variable exposed