none
Secure string type Pipeline parameter RRS feed

  • Question

  • Hello Team,

    I need to pass a password as a pipeline parameter but that needs to be secured; so i had defined the type as secure string.

    But after updating the type to secure string from string, I am not able to pass the parameter value to a pipeline variable.

    I am getting the below error:

    "errorCode": "BadRequest", "message": "The variable 'Test' of type 'String' cannot be initialized or updated with value '{\r\n \"type\": \"SecureString\",\r\n \"value\": \"Test\"\r\n}' of type 'Object'. The variable 'Test' only supports values of types 'String'.", "failureType": "UserError", "target": "Set Variable1"

    So how can one pass a secure string type pipeline parameter to a pipeline variable (I am using set variable activity)

    Tuesday, July 16, 2019 7:01 AM

Answers

  • Thank you for this interesting problem.  At first this seems to be difficult, but I found a way to extract the value from the secureString.  In a set variable (string type) I used:

    @{json(string(pipeline().parameters.password)).value}

    I was inspired by the error code you provided.  The error code contained the JSON object of the password.  I noticed that this is what i got when I tried using the secureString as input to my own Web activity.  Before it can be used by web activity, it must be changed into a string, or so I reasoned.  Therefore, why not try changing to string, then changing back to JSON, grabbing the value, and then reconverting to string.

    Since this is now an obvious security hole, I don't know how long it will work.

    Wednesday, July 17, 2019 6:26 PM
    Moderator

All replies

  • Hello Nandan Hegde, and thank you for your inquiry.

    I have reproduced the error you are getting.  Thank you for the details.  I also found a caveat when trying to use them with Git.

    Could you please explain to me what you are trying to do?  In any case where you need to use the password, you could reference the pipeline parameter directly.  The main use case involving passwords and variables I can think of would be to construct an array of passwords, to be used in a parameterized dataset and linked service, however that would require the Append Variable activity, which I have found the secure string CAN be used in.

    Thank you for your patience,
    Martin Jaffer

    Tuesday, July 16, 2019 6:49 PM
    Moderator
  • Hello Martin,

    I am trying to generate an Outh token via web activity:

    wherein the URL value is:

    @concat('https://login.microsoftonline.com/',pipeline().parameters.TenantID,'/oauth2/token')

    Body is:

    @concat('grant_type=client_credentials&resource=https://management.azure.com&client_id=',pipeline().parameters.ClientID1,'&client_secret=',encodeUriComponent(pipeline().parameters.ClientSecret1))

    wherein I am trying to send the clientId and client secret via pipeline parameters.

    When I have kept the type of the parameter as string and passing the value ,the web activity is running successfully and generating the Oauth token.

    But since client secret should not be visible for others, so I updated the data type as SecureString.

    After updating as secure string ,the web activity is failing with the error:

    { "errorCode": "2108", "message": "{\"error\":\"unauthorized_client\",\"error_description\":\"AADSTS700016: Application with identifier '{\\\"type\\\":\\\"SecureString\\\",\\\"value\\\":\\\"xxxx-xxxx-xxxxx-xxxx-xxxxx\\\"}' was not found in the directory

    }

    where xxxx-xxxx-xxxx-xxxx is the original value which i have scrubbed in this thread.

    So when we define the parameter as secure string, do we need to add some other condition while consuming the parameter in another activity to get the original value?

    Wednesday, July 17, 2019 5:46 AM
  • Thank you for this interesting problem.  At first this seems to be difficult, but I found a way to extract the value from the secureString.  In a set variable (string type) I used:

    @{json(string(pipeline().parameters.password)).value}

    I was inspired by the error code you provided.  The error code contained the JSON object of the password.  I noticed that this is what i got when I tried using the secureString as input to my own Web activity.  Before it can be used by web activity, it must be changed into a string, or so I reasoned.  Therefore, why not try changing to string, then changing back to JSON, grabbing the value, and then reconverting to string.

    Since this is now an obvious security hole, I don't know how long it will work.

    Wednesday, July 17, 2019 6:26 PM
    Moderator
  • Was this able to help you @Nandan Hegde?
    Thursday, July 18, 2019 9:01 PM
    Moderator
  • Thank you very much Martin.

    It was very helpful.:)

    Friday, July 19, 2019 2:59 AM