Powershell Access Azure DevOps Secret Variables

We had a requirement to create a new project in Azure DevOps and needed to migrate all of the pipelines to the new project. Lo and behold, no one knew all of the secrets, and export / import doesn't accomplish this.

I wrote a script to output all environment variables into an "Extensions" tab next to the build summary. It's formatted and everything.

The key to outputting the secret is by altering the string by inserting the '<-eliminate->' phrase within the secret value and saving to a file. Once the file is created, we then remove all instances of the string '<-eliminate->', save the file, and there it sits as an extension page to the build summary.

I would like to somehow find All secrets dynamically, but for now manually defining the variable name does the trick.

I re-formatted for this post and removed proprietary info, please let me know if it's broken :)

function GetSecretLength ($secretVar){     $i = 0;     while($true){          try {                $secretVar.substring(0,$i)|out-null           } catch {                break          };          $i++;      }     if ($i -le 1) { return 1 }     else { return $i-1 };} function GetSecret($secret){     $length = GetSecretLength($secret);     if ($length -ge 2) {        return $secret.substring(0,$length-1 )+"<-eliminate->"+$secret.substring($length-1,1)    } elseif ($length -eq 1) {        return $secret+"<-eliminate->"    } else {        return ""    }} $var = (gci env:*).GetEnumerator() | Sort-Object Name$out = ""Foreach ($v in $var) { $out = $out + "`t{0,-28} = {1,-28}`n" -f $v.Name, (GetSecret($v.Value)) }$fileName = "$env:BUILD_ARTIFACTSTAGINGDIRECTORY\build-variables.md"write-output "dump variables on $fileName"set-content $fileName $outwrite-output "##vso[task.addattachment type=Distributedtask.Core.Summary;name=Environment Variables;]$fileName"((Get-Content -path $fileName -Raw) -replace '<-eliminate->', '') | Set-Content -Path $fileName

You have to add the secret variables that you want into the "Environment Variables" of the Powershell task:

You end up with this pretty tab:

Why not just store the password in a keyvault as a secret? then there are azure commands for accessing the secret, and avoid all this. Heck, we generate random passwords, store them in keyvaults, then access the contents in the appropriate resource, without ever needing to expose the decrypted secret in a powershell command, like in an ARM template for an azure sql server database.

I know this doesn't solve your initial question, but it is a workaround that does work.