Description
New issue checklist
- I searched for existing GitHub issues
- I read pipeline troubleshooting guide
- I checked how to collect logs
Task name
Azure KeyVault
Task version
2.0
Issue Description
Using Azure KeyVault task to fetch some secrets from a key vault to use on next tasks in a release pipeline.
Some of the secrets have empty values.
The task does not create a pipeline variable for secrets with empty values.
As a result one of the following tasks on the pipeline (specifically - PowerShell task) fails as a reference to a pipeline variable that is expected to be created by the Azure KeyVault task is not substituted with an actual value of the variable but kept as a reference to it which is in turn interpreted by the PowerShell task as a call of a non-existing command.
It looks like the issue is caused by these 3 lines in the code on KeyVault.setVaultVariable method:
if (!secretValue) {
return;
}
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Windows 11
Relevant log output
2024-02-13T20:36:03.9405047Z ##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\5ac667ec-5b1f-43e7-a7e0-67d0c646b118.ps1'"
2024-02-13T20:36:04.2826756Z PipelineSecretEmpty : The term 'PipelineSecretEmpty' is not recognized as the name of a cmdlet, function, script file,
2024-02-13T20:36:04.2827290Z or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
2024-02-13T20:36:04.2827722Z try again.
2024-02-13T20:36:04.2828136Z At D:\a\_temp\5ac667ec-5b1f-43e7-a7e0-67d0c646b118.ps1:5 char:21
2024-02-13T20:36:04.2829322Z + $myEmptySecret = "$(PipelineSecretEmpty)"
2024-02-13T20:36:04.2829540Z + ~~~~~~~~~~~~~~~~~~~
2024-02-13T20:36:04.2829783Z + CategoryInfo : ObjectNotFound: (PipelineSecretEmpty:String) [], ParentContainsErrorRecordException
2024-02-13T20:36:04.2830021Z + FullyQualifiedErrorId : CommandNotFoundException
2024-02-13T20:36:04.2830193Z
2024-02-13T20:36:04.2983016Z ##[debug]Exit code: 1
2024-02-13T20:36:04.3014172Z ##[debug]Leaving Invoke-VstsTool.
2024-02-13T20:36:04.3259460Z ##[error]PowerShell exited with code '1'.Full task logs with system.debug enabled
2024-02-13T20:36:02.2323907Z Key vault name: KV-GNH-AIS-AZDO-WEU-POC.
2024-02-13T20:36:02.2324810Z ##[debug]set SYSTEM_UNSAFEALLOWMULTILINESECRET=true
2024-02-13T20:36:02.2335680Z ##[debug]Processed: ##vso[task.setvariable variable=SYSTEM_UNSAFEALLOWMULTILINESECRET;isOutput=false;issecret=false;]true
2024-02-13T20:36:02.2336447Z ##[debug]Downloading selected secrets from subscriptionId: 1a7f62a2-8f58-4979-8f93-6ab3c40249a5, vault: KV-GNH-AIS-AZDO-WEU-POC
2024-02-13T20:36:02.2336912Z ##[debug]Downloading part [0 - 2] (total 2 secrets)
2024-02-13T20:36:02.2337310Z ##[debug]Promise for downloading secret value for: PipelineSecretEmpty
2024-02-13T20:36:02.2337654Z Downloading secret value for: PipelineSecretEmpty.
2024-02-13T20:36:02.2338013Z ##[debug]Promise for downloading secret value for: PipelineSecretNotEmpty
2024-02-13T20:36:02.2338292Z Downloading secret value for: PipelineSecretNotEmpty.
2024-02-13T20:36:02.2338631Z ##[debug]MSAL - getMSALToken called. force=undefined
2024-02-13T20:36:02.2338992Z ##[debug]agent.proxyurl=undefined
2024-02-13T20:36:02.2339351Z ##[debug]agent.proxybypasslist=undefined
2024-02-13T20:36:02.2339722Z ##[debug]MSAL - ServicePrincipal - clientSecret is used.
2024-02-13T20:36:02.2340198Z ##[debug][Tue, 13 Feb 2024 20:36:02 GMT] : @azure/[email protected] : Info - acquireTokenByClientCredential called
2024-02-13T20:36:02.3064012Z ##[debug]Agent running environment resource - Disk:C:\ Windows available:72859.00MB out of 261643.00MB, Memory: used 7MB out of 7167MB, CPU: usage 63.35
2024-02-13T20:36:02.4945167Z ##[debug]MSAL - retrieved token - isFromCache?: false
2024-02-13T20:36:02.4946069Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined
2024-02-13T20:36:02.4946696Z ##[debug][GET]https://KV-GNH-AIS-AZDO-WEU-POC.vault.azure.net/secrets/PipelineSecretEmpty?api-version=2016-10-01
2024-02-13T20:36:02.4977161Z ##[debug]MSAL - getMSALToken called. force=undefined
2024-02-13T20:36:02.4977826Z ##[debug][Tue, 13 Feb 2024 20:36:02 GMT] : @azure/[email protected] : Info - acquireTokenByClientCredential called
2024-02-13T20:36:02.4993516Z ##[debug]MSAL - retrieved token - isFromCache?: true
2024-02-13T20:36:02.4994018Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined
2024-02-13T20:36:02.4994629Z ##[debug][GET]https://KV-GNH-AIS-AZDO-WEU-POC.vault.azure.net/secrets/PipelineSecretNotEmpty?api-version=2016-10-01
2024-02-13T20:36:02.6129272Z ##[debug]SYSTEM_DONOTMASKMULTILINESECRETS=undefined
2024-02-13T20:36:02.6185360Z ##[debug]set PipelineSecretNotEmpty=********
2024-02-13T20:36:02.6207170Z ##[debug]Processed: ##vso[task.setvariable variable=PipelineSecretNotEmpty;isOutput=false;issecret=true;]***
2024-02-13T20:36:02.6219520Z ##[debug]set PipelineSecretNotEmpty=********
2024-02-13T20:36:02.6225103Z ##[debug]Processed: ##vso[task.setvariable variable=PipelineSecretNotEmpty;isOutput=false;issecret=true;]***
2024-02-13T20:36:02.6225878Z ##[debug]Downloaded part [0 - 2] (took 1506 ms) (total 2 secrets)
2024-02-13T20:36:02.6226349Z ##[debug]task result: Succeeded
2024-02-13T20:36:02.6227372Z ##[debug]Processed: ##vso[task.complete result=Succeeded;]
2024-02-13T20:36:02.6252787Z ##[section]Finishing: Azure Key Vault: KV-GNH-AIS-AZDO-WEU-POC
Repro steps
1. Create a KeyVault secret with empty string as a secret value, let's say it is named PipelineSecret.
2. Crete a release pipeline.
3. Add an Azure KeyVault task to the pipeline and specify the secret name from step 1 as a filter for the secrets
4. Add a PowerShell task with inline script, in the script try to reference the pipeline variable for the secret that is supposed to be created by the Azure KeyVault task, for example:
$MySecret = "$(PipelineSecret)"
5. The PowerShell task fails with an error message like "PipelineSecret: The term 'PipelineSecret' is not recognized as the name of a cmdlet, function, script file, or operable program." as pipeline variable named PipelineSecret was not created by the Azure KeyVault task.