az debug commands leak user provided password (`x-ms-secret` fields)

[nascarsayan]

Describe the bug

az commands run with the debug flag display the password in the terminal. My assumption is the logger az uses knack.cli, cannot distinguish secrets from other string inputs.

Currently there is no way to mask the user provided secret value (marked as x-ms-secret in the swagger) while developing az extensions

To Reproduce

An example is
az vm create --debug -g snaskar-rg --image UbuntuLTS -n test-vm-01 --admin-password Open-Secret-1

An example involving an az extension:

az scvmm vmmserver connect --debug -g snaskar-rg -l eastus2euap -cl '/subscriptions/204898ee-cd13-4332-b9d4-55ca5c25496d/resourcegroups/snaskar-rg/providers/microsoft.extendedlocation/customlocations/arcvmm-1201-cl' --fqdn '10.10.10.10' --username 'host\user' --password 'Open-Secret-1' -n arcvmm-1201-vmmserver

Expected behavior

Open-Secret-1 should not be displayed in the debug logs. This will be helpful if the user wants to share the logs for debugging any issues, also if the user is running the command sharing his screen.

Environment summary

Additional context

The complete logs can be found here.

[yonzhan]

Compute

[microsoft-github-policy-service]

🔔 Routing this issue to @act-observability-squad.