azureazure-devopsazure-cli

az mysql flexible-server create writes password in the logs

I am creating a mysql server in Azure using azure-cli in a bash script in Azure DevOps.

The problem I have is that when I run the command az mysql flexible-server create it creates the server, but it writes the connection string back in the logs, as well as in a warning after. Adding --only-show-errors it hides the mention in the warning but still write the password in the connection string. Does not seem like a very secure way!

Is there a way I can obfuscate or remove the password?

Thanks in advance.

 az mysql flexible-server create --resource-group $resourcegroup \
                       --name $sername \
                       --location $location \
                       --admin-user $adminusername \
                       --admin-password $adminpassword \
                       --sku-name $sku \
                       --version $mysqlversion \
                       --yes \
                       --only-show-errors \
                       --tags CreatedBy=AzDO CreatedOn=$(date +"%Y-%m-%d")
Solution

  • I was able to reproduce the issue outside of pipelines when running the command az mysql flexible-server create and providing a plain text value for the --admin-password argument.

    repro

    To redact the server admin password appearing in the logs upon the resource creation, you may define a secret variable in your pipeline and reference it in the script.

    secretvar

    Here is a sample YAML pipeline.

    steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'ARMSvcCnnWIFSubZ'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      sername="xxxsqlserver2"
      resourcegroup="rg-azmysql"
      location="southeastasia"
      adminusername="sqladmin"
      sku="Standard_B1ms"
      mysqlversion="8.4"
      dbname="mytestdb"
      
      # Use pipeline sercret variable for the --admin-password argument
      adminpassword="$(adminpassword)"

      az mysql flexible-server create --resource-group $resourcegroup \
                       --name $sername \
                       --location $location \
                       --admin-user $adminusername \
                       --admin-password $adminpassword \
                       --sku-name $sku \
                       --version $mysqlversion \
                       --yes \
                       --only-show-errors \
                       --tags CreatedBy=AzDO CreatedOn=$(date +"%Y-%m-%d")

    redacted