az keyvault logs out secret values on newest macOS image

[Nasicus]

Description

Since yesterday the following command prints out the value of the secret to the console / log statement of the build pipeline (which contains our passwords!). Seems to be related to the newest macos build, still works on older versions as before.

We have a bash script (.sh) which looks like this:

vaultValue=$(az keyvault secret show --vault-name whatever --name "blabla" --query value --output tsv)

On the newest mac os image it now prints this to the console / log, whereas before it didn't print anything:

  "attributes": {
    "created": "2021-07-07T09:15:28+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2021-07-07T09:15:28+00:00"
  },
  "contentType": null,
  "id": "https://whatever/secrets/blabla/someid",
  "kid": null,
  "managed": null,
  "name": "blabla",
  "tags": null,
  "value": "my-secret-value"
}
  "attributes": {
    "created": "2021-07-07T09:15:28+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2021-07-07T09:15:28+00:00"
  },
  "contentType": null,
  "id": "https://whatever/secrets/blabla/someid",
  "kid": null,
  "managed": null,
  "name": "blabla",
  "tags": null,
  "value": "my-secret-value"
}

Note that I tried to reproeduce this locally with the same Azure CLI version and even also on MacOS but I couldn't.
See below in which MacOS image it still works as expected.

Virtual environments affected

• Ubuntu 18.04
• Ubuntu 20.04
• macOS 10.15
• macOS 11
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Image version and build link

Starting: Initialize job
Agent name: 'Hosted Agent'
Agent machine name: 'Mac-1637219675485'
Current agent version: '2.195.0'
Operating System
Virtual Environment
Environment: macos-11
Version: 20211114.1
Included Software: https://github.com/actions/virtual-environments/blob/macOS-11/20211114.1/images/macos/macos-11-Readme.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/macOS-11%2F20211114.1
Virtual Environment Provisioner
Current image version: '20211114.1'
Agent running as: 'runner'
Prepare build directory.
Set build variables.
Download all required tasks.
Downloading task: DownloadBuildArtifacts (0.194.0)
Downloading task: AzureCLI (1.164.0)
Downloading task: DownloadSecureFile (1.193.0)
Downloading task: CmdLine (2.182.0)
Downloading task: AppCenterDistribute (3.186.0)
Checking job knob settings.
Knob: AgentToolsDirectory = /Users/runner/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY}
Finished checking job knob settings.
Start tracking orphan processes.
Finishing: Initialize job

Is it regression?

Works on 20211106.1

Expected behavior

Do not print gotten secret to the console

Actual behavior

Prints secret to the console

Repro steps

See description above.

[mikhailkoliada]

@Nasicus Hello!

I am pretty sure azure-cli's version has not changed in the version of the image you referenced (changelog).

Could you please try to downgrade azure-cli manually in order to make sure you can repeat the problem?

[Nasicus]

@mikhailkoliada
Thanks for you reply.
I know it didn't change. I upgraded to the same az cli version locally (on my mac) and there it works as expected.
On the other mac os agent where it works it also has the same az cli version - the only difference I can see is the image version.
Here are all the information from the working macos image:

Starting: Initialize job
Agent name: 'Hosted Agent'
Agent machine name: 'Mac-1637218096416'
Current agent version: '2.195.0'
Operating System
Virtual Environment
Environment: macos-11
Version: 20211106.1
Included Software: https://github.com/actions/virtual-environments/blob/macOS-11/20211106.1/images/macos/macos-11-Readme.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/macOS-11%2F20211106.1
Virtual Environment Provisioner
1.0.0.0-master-20211108-1
Current image version: '20211106.1'
Agent running as: 'runner'
Prepare build directory.
Set build variables.
Download all required tasks.
Downloading task: Bash (3.189.0)
Downloading task: AzureCLI (1.164.0)
Downloading task: DownloadBuildArtifacts (0.194.0)
Downloading task: CopyFiles (2.190.1)
Downloading task: NodeTool (0.192.0)
Downloading task: Npm (1.187.0)
Downloading task: CocoaPods (0.189.0)
Downloading task: CmdLine (2.182.0)
Downloading task: CopyPublishBuildArtifacts (1.0.32)
Downloading task: AddTag (0.90.3)
Checking job knob settings.
   Knob: AgentToolsDirectory = /Users/runner/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY} 
Finished checking job knob settings.
Start tracking orphan processes.
Finishing: Initialize job

edit:

just noted that the newer macOS image also has a newer python version installed.

WORKING version (older one):

/usr/local/bin/az --version

azure-cli                         2.30.0
Please let us know how we are doing: https://aka.ms/azureclihats

and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
core                              2.30.0
telemetry                          1.0.6

Python location '/usr/local/Cellar/azure-cli/2.30.0/libexec/bin/python'
Extensions directory '/Users/runner/.azure/cliextensions'

Python (Darwin) 3.9.7 (default, Oct 13 2021, 06:45:31) 
[Clang 13.0.0 (clang-1300.0.29.3)]

BROKEN one (newer one):

/usr/local/bin/az --version
azure-cli                         2.30.0


Please let us know how we are doing: https://aka.ms/azureclihats
core                              2.30.0
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
telemetry                          1.0.6

Python location '/usr/local/Cellar/azure-cli/2.30.0/libexec/bin/python'
Extensions directory '/Users/runner/.azure/cliextensions'

Python (Darwin) 3.9.8 (main, Nov 10 2021, 09:21:22) 
[Clang 13.0.0 (clang-1300.0.29.3)]

[al-cheb]

@Nasicus , I wasn't able to reproduce from my side:

 Environment: macos-11
  Version: 20211114.1
  Included Software: https://github.com/actions/virtual-environments/blob/macOS-11/20211114.1/images/macos/macos-11-Readme.md
  Image Release: https://github.com/actions/virtual-environments/releases/tag/macOS-11%2F20211114.1

But the behavior of the output is different if reinstall az-cli(Python 3.9.8 vs Python 3.10.0):

        - name: brew install az
          run: |
              brew uninstall azure-cli
              brew update
              brew install azure-cli

[Nasicus]

@al-cheb hmm damn... I have no idea what to do then, because we didn't change anything in the pipeline and it literally fails in the SAME pipeline in different stages.... note that in newer builds in now also fails in the stage which previously succeeded, because it's using the newer image there

[Nasicus]

@al-cheb wait: in your first screenshot, I think that's already strange, becuase the vaultValue should only contain the Hello and not everything.... => I think that's exactly what's going wrong / has changed!

maybe I should add that after getting the vaultValue we do something like this:

echo "##vso[task.setvariable variable=$1]$value"

... and maybe this echo / vso cannot handle this "multiline" string

---

edit: not working anymore but I can try to do the uninstall / reinstall as a "workaround" for the moment, since then it looks correct.... => will try tomorrow, but this still seems like a bug... but maybe from the CLI?

[al-cheb]

@Nasicus , it's a bug - Azure/azure-cli#20348. Temporary workaround use jq:

vaultValue=$(az keyvault secret show --vault-name ghtest --name "test" --output json | jq -r '.value')
echo $vaultValue

[Nasicus]

@al-cheb Thanks for your help!
Your workaround also worked!

[al-cheb]

@Nasicus , The new version with Python 3.10.0 has been deployed.