Use Azure CLI to manage sensitive information
When you manage Azure resources, the output of an Azure CLI command might expose sensitive information that must be protected. For example, keys, passwords and connection strings can be created by Azure CLI commands and displayed in a terminal window. The output for some commands can also be stored in log files, This is often the case when working with GitHub actions and other DevOps runners.
It's critical to protect this information! If acquired publicly from environments with lesser permissions, the exposure of secrets can cause serious damage and lead to a loss of trust in your company's products and services. To help you to protect sensitive information, the Azure CLI detects secrets in the output of some reference commands, and displays a warning message when a secret is identified.
Set secrets warning configuration
Beginning in Azure CLI 2.61, a warning message is displayed when reference commands result in the output of sensitive information.
Sensitive information warnings are enabled by default. Turn sensitive information warnings off by setting the clients.show_secrets_warning
configuration property to no
.
az config set clients.show_secrets_warning=no
Considerations
The purpose of the warning message is to decrease the unintentional exposure of secrets, but these messages might require you to make changes in existing scripts.
Important
The new warning messages are sent to Standard Error (STDERR), not Standard Out (STDOUT). Therefore, if you are running an Azure CLI command that results in sensitive information output, you might need to trap for the warning message, or turn warnings off.
For example, in Azure DevOps Services pipelines, if the failOnStderr
parameter is set to True
of the Bash v3 task, the warning message halts the pipeline. Consider enabling the show_secrets_warning
message to identify if any secrets are exposed in your pipelines, and then take remediation actions.