Azure cli shows some of SecureString parameters in plain text

[pengxo]

Describe the bug
Input parameters of type @secured in bicep template are accepted, but some of the secure string are displayed in plain text in the logs.

To Reproduce

• Define a bicep template for e.g. Azure Container App with secured parameters. For example:

  @secure()
  param storePassword string
  @secure()
  param clientSecret string
   ...

• Deploy the template with Azure CLI:

  az deployment group create \
    -g my-resource-group \
    -n my-container-app \
    --template-file my-container-app.bicep \
    --parameters storePassword=$STORE_PASSWORD\
    --parameters clientSecret=$CLIENT_SECRET \
    ...
   --debug

• Then some of the secured parameters such as clientSecret are displayed in the logs.
  DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=plain text of secret','--debug']

Expected behavior
All secured string should be masked as follows:
DEBUG: cli.knack.cli: Command arguments: ['deployment', 'group', 'create', '-g', 'my-resource-group', '-n', 'my-container-app', '--template-file', 'my-container-app.bicep', '--parameters', 'storePassword=[MASKED]', '--parameters', 'clientSecret=[MASKED]','--debug']

Environment summary
Azure CLI version 2.42.0 and 2.44.1

Additional context
The values of variables such as $STORE_PASSWORD or $CLIENT_SECRET come from gitlab ci/cd variables or from azure through azure cli. The plain text of secured string can also be displayed in other log statements such as:

DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties" .....

[yonzhan]

@zhoxing-ms for awareness

[pengxo]

Hi @zhoxing-ms, Are there any updates about this issue? Do you need further information?

[pengxo]

Hi @zhoxing-ms , I just found that there is a small difference between version 2.42.0 and 2.44.1. For parameter values comming from azure cli (i.e. the value is retrieved from our azure environment through Azure CLI), it will always be displayed in plain text though the parameter is defined as a @secure() string. For parameter values from our Gitlab CI/CD variables, it occurs only in the version 2.42.0.

Are there any further update regarding this?

[pengxo]

The masking, which is displayed as [MASKED] should be enabled from Gitlab CI/CD variables. Despite this the value of secured string/object should not be displayed in the logs according to the documentation here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/data-types#secure-strings-and-objects

Thank you for your feedback. This has been routed to the support team for assistance.