Azure cli shows some of SecureString parameters in plain text

pengxo commented 1 year ago

Describe the bug Input parameters of type @secured in bicep template are accepted, but some of the secure string are displayed in plain text in the logs.

To Reproduce

Define a bicep template for e.g. Azure Container App with secured parameters. For example:

  @secure()
  param storePassword string
  @secure()
  param clientSecret string
   ...

Deploy the template with Azure CLI:

az deployment group create \
-g my-resource-group \
-n my-container-app \
--template-file my-container-app.bicep \
--parameters storePassword=$STORE_PASSWORD\
--parameters clientSecret=$CLIENT_SECRET \
...
--debug

Then some of the secured parameters such as clientSecret are displayed in the logs. DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=plain text of secret','--debug']

Expected behavior All secured string should be masked as follows: DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=[MASKED]','--debug']

Environment summary Azure CLI version 2.42.0 and 2.44.1

Additional context The values of variables such as $STORE_PASSWORD or $CLIENT_SECRET come from gitlab ci/cd variables or from azure through azure cli. The plain text of secured string can also be displayed in other log statements such as:

DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties" .....

yonzhan commented 1 year ago

@zhoxing-ms for awareness

pengxo commented 1 year ago

Hi @zhoxing-ms, Are there any updates about this issue? Do you need further information?

pengxo commented 1 year ago

Hi @zhoxing-ms , I just found that there is a small difference between version 2.42.0 and 2.44.1. For parameter values comming from azure cli (i.e. the value is retrieved from our azure environment through Azure CLI), it will always be displayed in plain text though the parameter is defined as a @secure() string. For parameter values from our Gitlab CI/CD variables, it occurs only in the version 2.42.0.

Are there any further update regarding this?

pengxo commented 1 year ago

The masking, which is displayed as [MASKED] should be enabled from Gitlab CI/CD variables. Despite this the value of secured string/object should not be displayed in the logs according to the documentation here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/data-types#secure-strings-and-objects

ghost commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

Azure / azure-cli

Azure cli shows some of SecureString parameters in plain text #25306