How are Azure Devops service connections secure?

Question

Currently, I audit the security of Azure Devops service connections: How secure are the credentials stored in the service connection?

Example in case is the TwineAuthenticate Task. It will pull the credentials from the service connection pythonUploadServiceConnection and writes them to a PyPI resource file.

Or does it?

Inspection of this file (edit)

- script: |
    cat $(PYPIRC_PATH)

shows user and password have values of ***, which are not the credentials provided by the service connection.

So what magic is going on when twine reads the PyPI resource file? Is this safe or just obfuscated?

Answer 1

Azure DevOps mask you secret as far as it is aware of the variable nature. This article is about github action but you may apply the same rules for Azure DevOps.

And please take a look here in docs

We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.

We never mask substrings of secrets. If, for example, "abc123" is set as a secret, "abc" isn't masked from the logs. This is to avoid masking secrets at too granular of a level, making the logs unreadable. For this reason, secrets should not contain structured data. If, for example, "{ "foo": "bar" }" is set as a secret, "bar" isn't masked from the logs.