Azure Devops Pipeline 中的 Python 脚本不能使用库中的值，如果它是一个秘密

Question

I have an Azure Devops Pipeline setup. It gets some secrets via the yaml

variables
 - group: GROUP_WITH_SECRET

Then in the later part of the pipeline I run a python script that gets that particular secret via

my_pat = os.environ["my_secret"]

That is then used in a library provided by Microsoft ( msrest ) as so:

BasicAuthentication("", my_pat)

If the variable in question, in the ADO Library is set to plain, the script works correctly. If I change it to a secret, connection fails. If I set it back to plain text, it again works.

Question is, how can I make it work with a secret? I've tried printing the value out but since it's a secret it doesn't show me the actual value other than the The user 'aaaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' is not authorized to access this resource

Answer 1

To use the secret variable in Azure Pipeline, you need to explicitly map secret variables in Agent Job.

Based on my test, the Python script task has no environment field to map the secret variables.

So you can add environment variable in PowerShell task to map secret variables. And you can set it as pipeline variable for the next tasks.

Here is an example:

- powershell: |
   echo "##vso[task.setvariable variable=myPass]$env:myPass"
   
  displayName: 'PowerShell Script'
  env:
    myPass: $(myPass)

Then you can use the variable in the next tasks.

For more detailed info, you can refer to this doc: Secret Variable