Using SAS Token in VSTS Template


  • I am trying to build a CI/CD pipeline for Data Lake Gen 2 and I have run into a bit of a problem. I have tried many options but none seem to work. Basically, I am trying to create the data lake from a template using a link template and then trying to create a FileSystem using a PowerShell script.

    Now, the Data Lake gets created which is all fine. The problem is in the PowerShell script where I am trying to create a FileSystem by using the REST API and passing the SAS token, generated in earlier steps in the Release pipeline.

    I can run the PowerShell script locally without errors but it just does not work in the VSTS PowerShell script task. The problem is passing and parsing the value of the SAS token

    So, my PowerShell Script looks like (and I have tried multiple versions of this):

    param (

    $uri='https://' + $json.storageName.value + ''+$approvedTemplatesToken+'&resource=filesystem'
    Write-Host $uri
    # try {
    Invoke-RestMethod -Uri $uri -Method Put
    # }
    # catch {
    # Write-Host "File System Already Exists"
    # }

    In VSTS, in the arguments section, I pass something like:

    -ARMOutput '$(armtemplateoutput)' -approvedTemplatesToken '$(ApprovedTemplatesToken)'

    When I see the log output I see that the value of $(ApprovedTemplatesToken) is "***" and it fails saying , please pass authentication info. If I pass the argument list like the following (without the quotes)

    -ARMOutput '$(armtemplateoutput)' -approvedTemplatesToken '$(ApprovedTemplatesToken)'

    It prints the correct value in the release log but fails saying "& can't be used..bla bla" (basically special characters).

    I have also tried checking if this is a secure string that is passed (the value of ***) and changed the code to see if the following could work, but again no success

    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($approvedTemplatesToken)

    $InsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

    So, the thing is the value of the SAS Token is available and can be seen (only in release logs) if not passed with quotes in the PowerShell task, but then of course fails. If passed with quotes (single or double), it passes the value of "***", which I assume is a SecureString but then I can't parse it even with the code above.

    How do I solve this?

    EDIT: 12-04-2019: The secret variable that I have seem to part of a variable group and this seems to be an issue similar to

    The user did raise a bug here :

    But it seems to have been closed saying can't be reproduced, but that is probably exactly what's happening in my case.

    Any update on this "bug"?

    Thursday, April 11, 2019 2:57 PM

All replies