Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure cli shows some of SecureString parameters in plain text #25306

Open
pengxo opened this issue Jan 31, 2023 · 5 comments
Open

Azure cli shows some of SecureString parameters in plain text #25306

pengxo opened this issue Jan 31, 2023 · 5 comments
Assignees
@zhoxing-ms
Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Service Attention This issue is responsible by Azure service team.
Milestone
Backlog

Comments

@pengxo
Copy link

pengxo commented Jan 31, 2023

Describe the bug
Input parameters of type @secured in bicep template are accepted, but some of the secure string are displayed in plain text in the logs.

To Reproduce

  • Define a bicep template for e.g. Azure Container App with secured parameters. For example:
  @secure()
  param storePassword string
  @secure()
  param clientSecret string
   ...
  • Deploy the template with Azure CLI:
  az deployment group create \
    -g my-resource-group \
    -n my-container-app \
    --template-file my-container-app.bicep \
    --parameters storePassword=$STORE_PASSWORD\
    --parameters clientSecret=$CLIENT_SECRET \
    ...
   --debug
  • Then some of the secured parameters such as clientSecret are displayed in the logs.
    DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=plain text of secret','--debug']

Expected behavior
All secured string should be masked as follows:
DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=[MASKED]','--debug']

Environment summary
Azure CLI version 2.42.0 and 2.44.1

Additional context
The values of variables such as $STORE_PASSWORD or $CLIENT_SECRET come from gitlab ci/cd variables or from azure through azure cli. The plain text of secured string can also be displayed in other log statements such as:

DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties" .....
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Jan 31, 2023
@ghost ghost assigned zhoxing-ms Jan 31, 2023
@ghost ghost added this to the Backlog milestone Jan 31, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Feb 1, 2023

@zhoxing-ms for awareness

@yonzhan yonzhan added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 1, 2023
@pengxo
Copy link
Author

pengxo commented Feb 21, 2023

Hi @zhoxing-ms, Are there any updates about this issue? Do you need further information?

@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 27, 2023
@pengxo
Copy link
Author

pengxo commented Apr 11, 2023

Hi @zhoxing-ms , I just found that there is a small difference between version 2.42.0 and 2.44.1. For parameter values comming from azure cli (i.e. the value is retrieved from our azure environment through Azure CLI), it will always be displayed in plain text though the parameter is defined as a @secure() string. For parameter values from our Gitlab CI/CD variables, it occurs only in the version 2.42.0.

Are there any further update regarding this?

@pengxo
Copy link
Author

pengxo commented Apr 26, 2023

The masking, which is displayed as [MASKED] should be enabled from Gitlab CI/CD variables. Despite this the value of secured string/object should not be displayed in the logs according to the documentation here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/data-types#secure-strings-and-objects

@yonzhan yonzhan added the CXP Attention This issue is handled by CXP team. label Apr 26, 2023
@ghost
Copy link

ghost commented Apr 26, 2023

Thank you for your feedback. This has been routed to the support team for assistance.

@PramodValavala-MSFT PramodValavala-MSFT added Service Attention This issue is responsible by Azure service team. and removed CXP Attention This issue is handled by CXP team. labels Sep 28, 2023
@github-actions github-actions bot mentioned this issue Mar 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@zhoxing-ms @pengxo @PramodValavala-MSFT @yonzhan