TFS Build Definition Secret Variables

Question

I have several secret variables in my build definition that I'm passing to a powershell function in the argument property for the build step however they are getting sent in as ******** instead of being decrypted.

The parameters that I'm passing into the call of the powershell script are the following with $(accesskey) and $(secretkey) set as secret in the build definition:

-source "$(CodeDeploySource)" -destination "$(CodeDeployDestination)" -Description "$(Description)" -Location "$(Location)" -ApplicationName "$(ApplicationName)" -DeploymentGroup "$(DeploymentGroup)" -DeploymentConfig "$(DeploymentConfig)" -ak "$(accesskey)" -sk "$(secretkey)" -region "$(region)"

The parameter section of my powershell script is:

param(
[string]$source,
[string]$destination,
[string]$Description,
[string]$Location,
[string]$ApplicationName,
[string]$DeploymentGroup,
[string]$DeploymentConfig,
[string]$ak,
[string]$sk,
[string]$region
)

Is there a configuration that has to be enabled in TFS in order for it to decrypt the secret variable during the build process?

Answer 1

You don't need to do any configuration to decrypt the secret variables. I have reproduced your issue and found in the build log, it shows like *****. Actually, in the Official document it has mentioned that:

Not returned back to the client. They are automatically masked out of any log output from the build or release.

Not decrypted into environment variables. So scripts and programs run by your build steps are not given access by default.

So it can't be seen from the build log. But it won't have effect for your build. The value could be get in the PowerShell script and could be used successfully. It just can't be output because it's a secret variable.