-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
az keyvault logs out secret values on newest macOS image #4535
Comments
@mikhailkoliada
edit: just noted that the newer macOS image also has a newer python version installed. WORKING version (older one):
BROKEN one (newer one):
|
@Nasicus , I wasn't able to reproduce from my side:
But the behavior of the output is different if reinstall az-cli(Python 3.9.8 vs Python 3.10.0):
|
@al-cheb hmm damn... I have no idea what to do then, because we didn't change anything in the pipeline and it literally fails in the SAME pipeline in different stages.... note that in newer builds in now also fails in the stage which previously succeeded, because it's using the newer image there |
@al-cheb wait: in your first screenshot, I think that's already strange, becuase the maybe I should add that after getting the vaultValue we do something like this:
... and maybe this echo / vso cannot handle this "multiline" string edit: not working anymore but I can try to do the uninstall / reinstall as a "workaround" for the moment, since then it looks correct.... => will try tomorrow, but this still seems like a bug... but maybe from the CLI? |
@Nasicus , it's a bug - Azure/azure-cli#20348. Temporary workaround use jq:
|
@al-cheb Thanks for your help! |
@Nasicus , The new version with Python 3.10.0 has been deployed. |
Description
Since yesterday the following command prints out the value of the secret to the console / log statement of the build pipeline (which contains our passwords!). Seems to be related to the newest macos build, still works on older versions as before.
We have a bash script (
.sh
) which looks like this:On the newest mac os image it now prints this to the console / log, whereas before it didn't print anything:
Note that I tried to reproeduce this locally with the same Azure CLI version and even also on MacOS but I couldn't.
See below in which MacOS image it still works as expected.
Virtual environments affected
Image version and build link
Starting: Initialize job
Agent name: 'Hosted Agent'
Agent machine name: 'Mac-1637219675485'
Current agent version: '2.195.0'
Operating System
Virtual Environment
Environment: macos-11
Version: 20211114.1
Included Software: https://github.com/actions/virtual-environments/blob/macOS-11/20211114.1/images/macos/macos-11-Readme.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/macOS-11%2F20211114.1
Virtual Environment Provisioner
Current image version: '20211114.1'
Agent running as: 'runner'
Prepare build directory.
Set build variables.
Download all required tasks.
Downloading task: DownloadBuildArtifacts (0.194.0)
Downloading task: AzureCLI (1.164.0)
Downloading task: DownloadSecureFile (1.193.0)
Downloading task: CmdLine (2.182.0)
Downloading task: AppCenterDistribute (3.186.0)
Checking job knob settings.
Knob: AgentToolsDirectory = /Users/runner/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY}
Finished checking job knob settings.
Start tracking orphan processes.
Finishing: Initialize job
Is it regression?
Works on 20211106.1
Expected behavior
Do not print gotten secret to the console
Actual behavior
Prints secret to the console
Repro steps
See description above.
The text was updated successfully, but these errors were encountered: