Need to be able to use secret variables

[alexs77]

In the definition of my pipeline, I'm setting a variable which contains an API access token. I consider this to be a secret and have thus set the variable to secret.

Because of this, Azure DevOps will NOT automatically export the secret variable to a task. In order to use a secret variable in a task, it has to be defined in the "environment" block of a task.

See https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=classic%2Cbatch#secret-variables → "Classic".

Each task that needs to use the secret as an environment variable does remapping. If you want to use a secret variable called mySecret from a script, use the Environment section of the scripting task's input variables. Set the environment variable name to MYSECRET, and set the value to $(mySecret).

The TerraformTaskV2 doesn't have an environment block.

There needs to be a way to be able to use secret variables in TerraformTaskV2.

[mericstam]

As I understand it is only required to use an environment block if you want to set secret as an environment variable. but might be mistaken. would be easier to understand if you can give an example of how you use the secret variable now?

[alexs77]

Okay.

It's actually about the iLert provider.

api_token - (Optional) An iLert OAuth / Personal Access Token. When not provided or made available via the ILERT_API_TOKEN environment variable, the provider can only access resources available anonymously. Conflicts with organization. Make sure to exclude the Bearer prefix.

As I'd rather not have the secret in my Git, I resorted to using an env var. Storing the secret in an Azure Key Vault doesn't work well either, as I have many tenants and subscriptions. A key vault cannot be accessed from another tenant (that's what Azure support wrote). But in my case, I have a service principal, which logs on to tenant A; but that secret should then be stored in a central place, so that I don't have to configure it over and over again. A shared KV comes to mind, but that's not supported.

[mericstam]

Ok now I get it. I will leave this issue open and add this enhancement task to our internal board. Feel free to contribute and add the feature if you want.

[pvasek]

I completely agree that it would be great to have the environment variables block there.

I think that as a workaround you could use the bash/batch task which uses the special output to calltask.setVariable described here.

You just need to add a bash/batch script and echo the output described there which set the variable to whatever you want for example I am using bash task with inline script where my-secret-var is set to MY_SECRET variable: echo "##vso[task.setvariable variable=MY_SECRET]$(my-secret-var)"

I am using it for a little bit different use case but I guess it could work for you as well.

[alexs77]

@pvasek D'Oh! Of course :) And I'm actually already using it - but not for this variable. I've got a task, which "propagates" the Service Principal details, like so:

printf "##vso[task.setvariable variable=ado_sp_id]%s\n" "$servicePrincipalId"
printf "##vso[task.setvariable variable=ado_sp_key;isoutput=true;issecret=true]%s\n" "$servicePrincipalKey"
printf "##vso[task.setvariable variable=ado_sp_tenant]%s\n" "$tenantId"

The task has Access service principal details in script enabled.

Thanks. Going to extend this task.

But, still, it would be good, if there'd be an environment block. It should be possible to use Terraform with this task, without having to resort to this workaround.