azureazure-devopsazure-cli

az mysql flexible-server create writes password in the logs


I am creating a mysql server in Azure using azure-cli in a bash script in Azure DevOps.

The problem I have is that when I run the command az mysql flexible-server create it creates the server, but it writes the connection string back in the logs, as well as in a warning after. Adding --only-show-errors it hides the mention in the warning but still write the password in the connection string. Does not seem like a very secure way!

Is there a way I can obfuscate or remove the password?

Thanks in advance.

 az mysql flexible-server create --resource-group $resourcegroup \
                       --name $sername \
                       --location $location \
                       --admin-user $adminusername \
                       --admin-password $adminpassword \
                       --sku-name $sku \
                       --version $mysqlversion \
                       --yes \
                       --only-show-errors \
                       --tags CreatedBy=AzDO CreatedOn=$(date +"%Y-%m-%d")

Solution

  • I was able to reproduce the issue outside of pipelines when running the command az mysql flexible-server create and providing a plain text value for the --admin-password argument.

    repro

    To redact the server admin password appearing in the logs upon the resource creation, you may define a secret variable in your pipeline and reference it in the script.

    secretvar

    Here is a sample YAML pipeline.

    steps:
    - task: AzureCLI@2
      inputs:
        azureSubscription: 'ARMSvcCnnWIFSubZ'
        scriptType: 'bash'
        scriptLocation: 'inlineScript'
        inlineScript: |
          sername="xxxsqlserver2"
          resourcegroup="rg-azmysql"
          location="southeastasia"
          adminusername="sqladmin"
          sku="Standard_B1ms"
          mysqlversion="8.4"
          dbname="mytestdb"
          
          # Use pipeline sercret variable for the --admin-password argument
          adminpassword="$(adminpassword)"
    
          az mysql flexible-server create --resource-group $resourcegroup \
                           --name $sername \
                           --location $location \
                           --admin-user $adminusername \
                           --admin-password $adminpassword \
                           --sku-name $sku \
                           --version $mysqlversion \
                           --yes \
                           --only-show-errors \
                           --tags CreatedBy=AzDO CreatedOn=$(date +"%Y-%m-%d")
    

    redacted