I am creating a mysql server in Azure using azure-cli in a bash script in Azure DevOps.
The problem I have is that when I run the command az mysql flexible-server create
it creates the server, but it writes the connection string back in the logs, as well as in a warning after. Adding --only-show-errors
it hides the mention in the warning but still write the password in the connection string. Does not seem like a very secure way!
Is there a way I can obfuscate or remove the password?
Thanks in advance.
az mysql flexible-server create --resource-group $resourcegroup \
--name $sername \
--location $location \
--admin-user $adminusername \
--admin-password $adminpassword \
--sku-name $sku \
--version $mysqlversion \
--yes \
--only-show-errors \
--tags CreatedBy=AzDO CreatedOn=$(date +"%Y-%m-%d")
I was able to reproduce the issue outside of pipelines when running the command az mysql flexible-server create
and providing a plain text value for the --admin-password
argument.
To redact the server admin password appearing in the logs upon the resource creation, you may define a secret variable in your pipeline and reference it in the script.
Here is a sample YAML pipeline.
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'ARMSvcCnnWIFSubZ'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
sername="xxxsqlserver2"
resourcegroup="rg-azmysql"
location="southeastasia"
adminusername="sqladmin"
sku="Standard_B1ms"
mysqlversion="8.4"
dbname="mytestdb"
# Use pipeline sercret variable for the --admin-password argument
adminpassword="$(adminpassword)"
az mysql flexible-server create --resource-group $resourcegroup \
--name $sername \
--location $location \
--admin-user $adminusername \
--admin-password $adminpassword \
--sku-name $sku \
--version $mysqlversion \
--yes \
--only-show-errors \
--tags CreatedBy=AzDO CreatedOn=$(date +"%Y-%m-%d")