Hardening your defense in depth with secrets awareness in Azure command line tools
Published Feb 06 2024 04:50 PM 6,070 Views
Microsoft

When using one of the Azure client tools, you will likely have to deal with secrets that are returned by the Azure APIs. A common scenario would be to retrieve a storage account key to be able to perform other operations subsequently in your pipeline.

 

DevOps engineer developing scripts to be used in the pipelines should pay attention to the sensitivity of the output of the commands being executed at the risk of exposing sensitive information. This becomes particularly important when the output of commands is stored in log files like this would be the case in GitHub actions or other DevOps runners.

This scenario was recently described in details in this article from Palo Alto Network.

 

“Forewarned is forearmed”

 

The issue mentioned in the blog from Palo Alto Networks has been fixed in az cli version 2.54 and Azure PowerShell v11.0, however we wanted to provide our customers with a solution that is adaptive to similar situations regardless of the command outputs format or version of the client.

 

We think that our customers will take the decisions that fits their business needs if we give them the adequate information. Our first step is to detect secrets in the output of any command and display a warning message when a secret has been identified.

The following image shows the warning message with az cli version 2.57, available on February 6, 2024.

 

Picture1.png

 

The same functionality can also be enabled in Azure PowerShell. This will apply in Azure PowerShell versions 11.4.0 and above.

 

Alexwdy_0-1711954103717.png

 

Availability and default behavior

 

Local installation, Azure DevOps, GitHub action, etc…: Disabled by default.

Adding a warning message in the output of a command line tool may break DevOps pipelines that rely on the tool, so initially, this is disabled by default.

We encourage you to try it out and see if you are exposing secrets in any of your pipelines.

 

CloudShell: Enabled by default.

Because CloudShell is not indented to be used to execute pipelines and because this capability is security related, we are activating this feature by default in CloudShell.

 

Configuration

 

The following options controls the behavior of Azure CLI regarding the detection of secrets.

 

Environment variable

AZURE_CLIENTS_SHOW_SECRETS_WARNING=True

Value:

  • True: warning message will be displayed
  • False: warning message will NOT be displayed

 

Azure cli setting

az config set clients.show_secrets_warning=yes

Warning messages will be displayed

 

az config set clients.show_secrets_warning=no

Warning messages will NOT be displayed

 

Azure PowerShell setting

Update-AzConfig -DisplaySecretsWarning $True

Warning messages will be displayed.

 

Update-AzConfig -DisplaySecretsWarning $False

Warning messages will NOT be displayed.

 

You can also use the $Env:AZURE_CLIENTS_SHOW_SECRETS_WARNING environment variable to disable the warning message.

 

Set-Item -Path Env:\AZURE_CLIENTS_SHOW_SECRETS_WARNING -Value $False

 

Additional considerations

 

Impact on your pipelines

Read the following before activating the warning message in DevOps pipelines! We use the stderr stream to show the warning message, this may cause issues if your DevOps pipeline is configured to fail in such circumstances.

 

For example, if the ‘failOnStderr’ parameter is set to ‘True’ of the Bash v3 task for Azure DevOps, the warning message will halt the pipeline.

 

Is it a good or a bad thing? It really depends how certain you are that there are no secrets in your Azure DevOps logs. You could consider enabling the warning message to identify if any secrets are exposed in your pipelines and take remediation actions.

 

Secrets identification

This version identifies a limited set of secrets, like access tokens, storage account keys, … and we will enrich our list in the upcoming releases.

 

Feedback

We believe this will help anyone using Azure CLI and Azure PowerShell hardening their security defense in depth and be more conscious of secrets.

 

We want to hear from your experience with warning on secrets in command outputs. Please share a comment or open a GitHub issue:

Azure CLI:  https://github.com/Azure/azure-cli/issues/new/choose

Azure PowerShell: https://github.com/Azure/azure-powershell/issues/new/choose

 

Co-Authors
Version history
Last update:
‎Jun 13 2024 10:07 PM
Updated by: