az mysql flexible-server create writes out password details in log

[hgjura]

Describe the bug

When running az mysql flexible-server create the output fomr command writes out the password and connection string in clear text in the logs !?!?

Here is the command:
az mysql flexible-server create --resource-group $resourcegroup \ --name $sername \ --location $location \ --admin-user $adminusername \ --admin-password $adminpassword \ --sku-name $sku \ --version $mysqlversion \ --yes \ --tags CreatedBy=AzDO

Sensitive info needs to be obfuscated or masked.

Related command

az mysql flexible-server create

Errors

Passowrd is written in clear text

Issue script & Debug output

`
WARNING: Checking the existence of the resource group 'qa-siteweb-rg'...
WARNING: Resource group 'qa-siteweb-rg' exists ? : True
WARNING: Detected current client IP : 4.205.192.95
WARNING: IOPS is 396 which is either your input or free(maximum) IOPS supported for your storage size and SKU.
WARNING: Creating MySQL Server 'mysqlserver-siteweb-qa' in group 'qa-siteweb-rg'...
WARNING: Your server 'mysqlserver-siteweb-qa' is using sku 'Standard_B1ms' (Paid Tier). Please refer to https://aka.ms/mysql-pricing for pricing details
WARNING: Configuring server firewall rule to accept connections from '4.205.192.95'...
WARNING: Creating MySQL database 'flexibleserverdb'...
WARNING: Make a note of your password. If you forget, you would have to reset your password with'az mysql flexible-server update -n mysqlserver-siteweb-qa -g qa-siteweb-rg -p '.
WARNING: Try using az 'mysql flexible-server connect' command to test out connection.
{

"connectionString": "mysql flexibleserverdb --host mysqlserver-siteweb-qa.mysql.database.azure.com --user sofadadmin --password=Password001$",

"databaseName": "flexibleserverdb",
"firewallName": "FirewallIPAddress_2025-3-3_20-35-46",
"host": "mysqlserver-siteweb-qa.mysql.database.azure.com",
"id": "/subscriptions/a178cc79-1caa-4263-a715-c6250800485b/resourceGroups/qa-siteweb-rg/providers/Microsoft.DBforMySQL/flexibleServers/mysqlserver-siteweb-qa",
"location": "Canada Central",

"password": "Password001$",

"resourceGroup": "qa-siteweb-rg",
"skuname": "Standard_B1ms",
"username": "sofadadmin",
"version": "8.4"
}
`

Expected behavior

Password details should be masked

Environment Summary

azure-cli 2.69.0

Additional context

No response

[azure-client-tools-bot-prd]

Hi @hgjura,

2.69.0 is not the latest Azure CLI(2.70.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Azure cli shows some of SecureString parameters in plain text #25306

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

The masking, which is displayed as [MASKED] should be enabled from Gitlab CI/CD variables. Despite this, the value of secured string/object should not be displayed in the logs according to the documentation here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/data-types#secure-strings-and-objects

Reference:

• Azure cli shows some of SecureString parameters in plain text #25306 (comment)

Powered by issue-sentinel

[github-actions]

This issue is related to security. Please pay attention.

Powered by issue-sentinel

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @ambhatna, @savjani.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @ambhatna, @savjani.

[yonzhan]

route to service team