This post will, if for nothing else, encourage teams to seriously consider using KeyVault for storing secrets that you want to use in a build (this walkthrough is a good guide.) Despite the fact that despite that they are encrypted, it is possible to get the value of a secret variable with one simple trick. This means it is very important who has permissions to edit your pipelines.

So, how do we go about getting the value of a secret parameter? I have here a secret variable: variable tab

I have here, one line of PowerShell: step details

And finally, I have here the value of the secret variable printed out into the logs. exposed_password in build output

And for anyone else wondering, this trick also works in Bamboo. I don’t know if it works in other build/release tools, but yes it is in VSTS/Azure DevOps and it is in TFS/Azure DevOps Server as well.