You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apparently there is a need to directly expose secret values retrieved from the Azure Key Vault task that are shorter than some configurable number of characters.
Task logs
Specifically these secret values would be visible in the logs. Therein lies the problem, as secret values (along with non-secret values) are intentionally masked in the logs.
The question is :
How can I expose secrets via task log so they wont get masked?
Full Disclosure - I dont think this is a good idea, and I dont want secrets to be directly exposed in the logs. Secrets should stay secret, but due to the way the masking is applied there are some secret values that can be deduced. The solution proposed for this is currently to not mask secret values that are shorter than N characters, which directly exposes the secret values rather than indirectly deducing them. I have tried to get those making the changes to recognize this fix is worse than the current situation but they dont respond via the issue, the PR, or the support case that is open, so I'm trying an issue in a related repo to get someone outside of that team to halt the security mistake being made. Also the solution does not meet the requirements.
The text was updated successfully, but these errors were encountered:
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days
Question, Bug, or Feature?
Type: Question
Environment
Hosted agent in AzDo cloud
Issue Description
Apparently there is a need to directly expose secret values retrieved from the Azure Key Vault task that are shorter than some configurable number of characters.
Task logs
Specifically these secret values would be visible in the logs. Therein lies the problem, as secret values (along with non-secret values) are intentionally masked in the logs.
The question is :
How can I expose secrets via task log so they wont get masked?
Full Disclosure - I dont think this is a good idea, and I dont want secrets to be directly exposed in the logs. Secrets should stay secret, but due to the way the masking is applied there are some secret values that can be deduced. The solution proposed for this is currently to not mask secret values that are shorter than N characters, which directly exposes the secret values rather than indirectly deducing them. I have tried to get those making the changes to recognize this fix is worse than the current situation but they dont respond via the issue, the PR, or the support case that is open, so I'm trying an issue in a related repo to get someone outside of that team to halt the security mistake being made. Also the solution does not meet the requirements.
The text was updated successfully, but these errors were encountered: