APIM - set body return variable as secret

Pothiraj, Saranya-ADM 0

Hi Team,

I have below policy

<outbound>
        <base />
        <choose>
            <when condition="@(context.Response.StatusCode == 200)">
                <set-status code="200" reason="ok" />
                <set-body template="liquid" >
                {
                    {{context.Variables["vault_response"]["data"]["data"]}}
                }
                </set-body>
            </when>
            <otherwise>
                <set-status code="@(context.Response.StatusCode)" reason="Bad Request" />
                <set-body>@(((IResponse)context.Variables["response"]).Body.As<JObject>(preserveContent: true).ToString())</set-body>
            </otherwise>
        </choose>

Where in set-body i return the secrets DB username and password to Azure Devops Pipeline

Here is the pipeline script:

 try {
      $params = @{
          ContentType = 'application/x-www-form-urlencoded'
          Method = 'GET'
          URI = 'https://apim.ddd.com/test-apim-login/v1/sys/health'
      }
      $token = Invoke-RestMethod @params
      Write-host $token
    }

Return value in pipeline:

{

"vault_response":""password": "msadfajfnbafb""username": "abcdef""

}

But i need the return value as hidden secret

{

"vault_response":""password": ******** "username":********

}

Please let me know how to achieve this

Shireesha Eeraboina 1,315 Reputation points Microsoft Vendor

2025-01-21T07:29:12.9466667+00:00
Hi @Pothiraj, Saranya-ADM,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

To achieve this, you can modify your policy to mask the secrets before returning them. Here's an updated version of your policy.

<outbound> <base /> <choose> <when condition="@(context.Response.StatusCode == 200)"> <set-status code="200" reason="ok" /> <set-body template="liquid" > { "vault_response": { "password": "********", "username": "********" } } </set-body> </when> <otherwise> <set-status code="@(context.Response.StatusCode)" reason="Bad Request" /> <set-body>@(((IResponse)context.Variables["response"]).Body.As<JObject>(preserveContent: true).ToString())</set-body> </otherwise> </choose> </outbound>

This policy will replace the actual values of password and username with asterisks before returning the response and for your pipeline script, you don't need to change anything since the policy itself will handle the masking of the secrets.

I hope the above provided information might help you, if you have any further queries, please feel free to reach out to us.

Pothiraj, Saranya-ADM 0

If i dont pass the value , how it will mask the value.

the response will be set in to the variable as below and then i pass it to the outbound set-body

How i can construct this from below variable.

{ "vault_response": { "password": "", "username": "" } }

set-variable (0.025 ms)
{
    "message": "Context variable was successfully set.",
    "name": "vault_response",
    "value": {
        "request_id": "2eb1",
        "lease_id": "database/creds/",
        "renewable": true,
        "lease_duration": 900,
        "data": {
            "password": "nakjfdadfjbadfhad",
            "username": "mndafbajdfnbamfnbsdaf"
        },
        "wrap_info": null,
        "warnings": null,
        "auth": null,
        "mount_type": "database"
    }
}

Shireesha Eeraboina 1,315 Microsoft Vendor

Hi @Pothiraj, Saranya-ADM,

To mask the password and username values dynamically based on the response stored in the vault_response variable, you need to implement a transformation within the APIM policy that ensures these fields are replaced with asterisks if they are not empty. You can check if these values are present and then apply the masking logic accordingly.

Here’s how you can construct the logic using the APIM policy to handle this dynamically:

<base />

<choose>

    <when condition="@(context.Response.StatusCode == 200)">

        <set-status code="200" reason="ok" />

        <set-body template="liquid">

            {

                "vault_response": {

                    "password": "{% if context.Variables['vault_response']['data']['password'] != '' %}********{% else %}{{ context.Variables['vault_response']['data']['password'] }}{% endif %}",

                    "username": "{% if context.Variables['vault_response']['data']['username'] != '' %}********{% else %}{{ context.Variables['vault_response']['data']['username'] }}{% endif %}"

                }

            }

        </set-body>

    </when>

    <otherwise>

        <set-status code="@(context.Response.StatusCode)" reason="Bad Request" />

        <set-body>@(((IResponse)context.Variables["response"]).Body.As<JObject>(preserveContent: true).ToString())</set-body>

    </otherwise>

</choose>

</outbound>

This approach uses Liquid templating to dynamically mask sensitive data (password and username) in the response based on whether the fields are empty or not. This solution guarantees that sensitive values are hidden in the API response while preserving functionality and handling empty fields correctly.

Shireesha Eeraboina 1,315 Reputation points Microsoft Vendor

2025-01-23T10:00:16.34+00:00

Hi @Pothiraj, Saranya-ADM,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Pothiraj, Saranya-ADM 0 Reputation points

2025-01-23T23:49:12.8433333+00:00

Hi Shrieesha,

I have tried this, it returns ******** for password and username , It does mask the value instead it change the values as ******** if it not empty.

Not sure if really masking can be done in API policies.

API response:

{ "username": "#######", "password": "######" }

replace # with *. I doesnt' allow me to save * in comments

Response in ADO pipeline when write-host is done :

When i try to user these secrets to connect to DB it says :

ORA-01017: invalid username/password; logon denied

If i dont mask and directly pass the secrets, I can connect to DB successfully
Shireesha Eeraboina 1,315 Reputation points Microsoft Vendor

2025-01-29T14:14:38.88+00:00

Hi @Pothiraj, Saranya-ADM,

Just checking in to see if the information above was helpful. If you have any further updates on this issue, please feel free to post them here. Thank you.

1 answer

Shireesha Eeraboina 1,315 Reputation points Microsoft Vendor

2025-01-28T08:00:50.82+00:00
Hi @Pothiraj, Saranya-ADM,

We sincerely apologize for the delay in response and appreciate your patience.

I see. It looks like the masking is not working as expected and is replacing the actual values with asterisks instead of hiding them.

In that case, you can try using a custom policy to mask the values in the response. Here's an example policy that you can use:

<outbound> <base /> <choose> <when condition="@(context.Response.StatusCode == 200)"> <set-status code="200" reason="ok" /> <set-body template="liquid" > { "username": "{{context.Variables["vault_response"]["data"]["data"]["username"] | mask}}", "password": "{{context.Variables["vault_response"]["data"]["data"]["password"] | mask}}" } </set-body> </when> <otherwise> <set-status code="@(context.Response.StatusCode)" reason="Bad Request" /> <set-body>@(((IResponse)context.Variables["response"]).Body.As<JObject>(preserveContent: true).ToString())</set-body> </otherwise> </choose> </outbound>

This policy uses the Liquid template language to mask the values of the "username" and "password" fields in the response. The | mask filter will replace the actual values with asterisks.

Please note that this policy will only mask the values in the response and not in the pipeline script. You will still need to use the variable group feature to store the secrets and reference them in your pipeline script as I mentioned earlier.

I hope this helps! Let me know if you have any further questions or need additional assistance.
Please sign in to rate this answer.
Shireesha Eeraboina 1,315 Reputation points Microsoft Vendor

2025-01-30T01:20:13.68+00:00

Hi @Pothiraj, Saranya-ADM,

If you found the response helpful, please click Accept Answer and Yes for the provided answer. This will help other community members with similar issues find the solution more easily.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

APIM - set body return variable as secret

1 answer

Your answer