How to output the value of a secret variable in Azure DevOps?

2 min read.

This article explains how you can output the value of a secret variable stored in Azure DevOps. This applies both to secrets stored in a Variable Group, or Pipeline Variables stored as secrets.

Is it safe, secure and advisable to do this? No!

But is it possible? Yes it is!

Let’s get to it!

Background

Table of Contents

There might be situations, when you want to output the value of a secret variable. Maybe you registered an app in Entra, and had a good reason not to add it to Key Vault, but still need it for your pipeline? And maybe you were a good citizen, and stored it as a secret value – so neither you, nor anyone else, can ever see it again.

Similar configuration – and a problem – can be reproduced with a Pipeline Variable:

But what if you happen to need it later for some unknown, unholy purpose that you’d rather not utter aloud to avoid repercussions?

Then you need to find a way to coerce your pipeline to share that variable value with you!

Problem

If you try to solve the issue by clicking the little “lock” icon – the value turns empty. You can’t display the value of a secret variable once it’s set.

You can, however, output it in a pipeline. But not like this:

  steps:
  - task: PowerShell@2
    inputs:
      targetType: 'inline'
      script: |
        Write-Host "My Secret Value:"
        Write-Host $(ClientSecret)

Nope. That just shows little asterisks:

And this even happens if you try to be crafty and first set the value to a local variable:

  - task: PowerShell@2
    inputs:
      targetType: 'inline'
      script: |
        $variableValue = "$(ClientSecret)"
        
        Write-Host "My Secret Value:"
        Write-Host $variableValue

Yes – this is Azure DevOps trying to save you from yourself. But we can’t have any of that, can we? 😉

Solution

I’m using a Client Secret that I’ve stored in a Variable Group in Azure DevOps’ Library. The exact same method works for a secret Pipeline Variable.

But in order to be able to output our secret variable, we need to make Azure DevOps think we’re not trying to show the secret to anyone. We need some special tactics.

And that special tactics is called – drumroll, please – ToCharArray()!

By changing the variable to a character array instead of a string, it’s safe from being masked.

  - task: PowerShell@2
    inputs:
      targetType: 'inline'
      script: |
        # Get the string value of the secret
        $variableValue = "$(ClientSecret)"

        # Split the string into individual characters
        $characters = $variableValue.ToCharArray()

        Write-Host "My Secret Value:"
        Write-Host $characters

This will give you this delicious output:

Yes – that’s indeed the secret value as a character array, neatly echoed to your logs with spaces between character values.

Easy to copy-paste out of there – just remember to remove the extra spaces!

Author
Recent Posts

Antti K. Koskela

Developer / Speaker / Consultant at Koskila / Precio Fishbone / Norppandalotti Software Co / Alter - Experience Ideas Ltd

Antti Koskela is a proud digital native nomadic millennial full stack developer (is that enough funny buzzwords? That's definitely enough funny buzzwords!), who works as Solutions Architect for Precio Fishbone, building delightful Digital Workplaces.

He's been a developer from 2004 (starting with PHP and Java), and he's been working on .NET projects, Azure, Office 365, SharePoint and a lot of other stuff. He's also Microsoft MVP for Azure.

This is his personal professional (e.g. professional, but definitely personal) blog.

Latest posts by Antti K. Koskela (see all)