Azure cli shows some of SecureString parameters in plain text #25306
Description
Describe the bug
Input parameters of type @secured in bicep template are accepted, but some of the secure string are displayed in plain text in the logs.
To Reproduce
- Define a bicep template for e.g. Azure Container App with secured parameters. For example:
@secure()
param storePassword string
@secure()
param clientSecret string
...
- Deploy the template with Azure CLI:
az deployment group create \
-g my-resource-group \
-n my-container-app \
--template-file my-container-app.bicep \
--parameters storePassword=$STORE_PASSWORD\
--parameters clientSecret=$CLIENT_SECRET \
...
--debug
- Then some of the secured parameters such as
clientSecretare displayed in the logs.
DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=plain text of secret','--debug']
Expected behavior
All secured string should be masked as follows:
DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=[MASKED]','--debug']
Environment summary
Azure CLI version 2.42.0 and 2.44.1
Additional context
The values of variables such as $STORE_PASSWORD or $CLIENT_SECRET come from gitlab ci/cd variables or from azure through azure cli. The plain text of secured string can also be displayed in other log statements such as:
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties" .....