Open pengxo opened 1 year ago
@zhoxing-ms for awareness
Hi @zhoxing-ms, Are there any updates about this issue? Do you need further information?
Hi @zhoxing-ms , I just found that there is a small difference between version 2.42.0 and 2.44.1. For parameter values comming from azure cli (i.e. the value is retrieved from our azure environment through Azure CLI), it will always be displayed in plain text though the parameter is defined as a @secure()
string. For parameter values from our Gitlab CI/CD variables, it occurs only in the version 2.42.0.
Are there any further update regarding this?
The masking, which is displayed as [MASKED]
should be enabled from Gitlab CI/CD variables. Despite this the value of secured string/object should not be displayed in the logs according to the documentation here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/data-types#secure-strings-and-objects
Thank you for your feedback. This has been routed to the support team for assistance.
Describe the bug Input parameters of type
@secured
in bicep template are accepted, but some of the secure string are displayed in plain text in the logs.To Reproduce
Deploy the template with Azure CLI:
Then some of the secured parameters such as
clientSecret
are displayed in the logs.DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=plain text of secret','--debug']
Expected behavior All secured string should be masked as follows:
DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=[MASKED]','--debug']
Environment summary Azure CLI version 2.42.0 and 2.44.1
Additional context The values of variables such as
$STORE_PASSWORD
or$CLIENT_SECRET
come from gitlab ci/cd variables or from azure through azure cli. The plain text of secured string can also be displayed in other log statements such as: