Azure Data Factory, SecureString parameter printed out in plain text in debug monitoring logs

Question

Azure Data Factory, SecureString parameter printed out in plain text in debug monitoring logs

Agelin, Jakob 21

I have a Web Activity with secure input/output set to true.

I have an Execute Pipeline Activity that references a pipeline with a secureString parameter.

I provide this @activity('get_token').output.value as the secureString parameter value inside the Execute Pipeline Activity.

In the logs, I can see the token printed out in plain text. Is this a feature, or a bug?

User's image

Snag_c5407c9

Snag_c541cc8

Michael John Pena 165 Reputation points MVP

2024-01-05T11:26:44.3366667+00:00

Are you using Git mode? I had an experience in the past where the secured value turns to plain text when retrieving from keyvault.

https://stackoverflow.com/questions/61597810/how-to-parameterize-securestring-pipeline-parameter-in-azure-data-factory-so-it
Agelin, Jakob 21 Reputation points

2024-01-05T11:55:31.0033333+00:00

Yes, git mode. Are you saying that if I could provide a dummy default value, it would work, but git mode prevents any default values from being stored?
Agelin, Jakob 21 Reputation points

2024-01-05T13:00:55.83+00:00

It's just not reasonable to me that I can set the output of an activity to secure, redacting it, then using that output as an input parameter set to securestring, but the input is printed out in plain text when debugging.
AnnuKumari-MSFT 34,561 Reputation points Microsoft Employee Moderator

2024-01-08T05:27:01.3033333+00:00

Hi Agelin, Jakob ,

Thankyou for raising your query on Microsoft Q&A platform . I have taken your query forward to the internal team . I will keep you posted once I hear back from them. Thankyou
AnnuKumari-MSFT 34,561 Reputation points Microsoft Employee Moderator

2024-02-22T09:10:44.9666667+00:00

Hi Agelin, Jakob ,

Below is the response from the internal team

"If passing securestring, recommendation is to set secure input/ output in all activities that are referring to the parameter. That's the very reason of secure input/ output in downstream activities.

The current observation is by design and is not a bug. User otherwise will not be able to see the value passed through the web activity which may be needed for debugging if the need be. "

Hope it helps. Thanks

Your answer

Michael John Pena 165 Reputation points MVP

2024-01-05T11:26:44.3366667+00:00

Are you using Git mode? I had an experience in the past where the secured value turns to plain text when retrieving from keyvault.

https://stackoverflow.com/questions/61597810/how-to-parameterize-securestring-pipeline-parameter-in-azure-data-factory-so-it
Agelin, Jakob 21 Reputation points

2024-01-05T11:55:31.0033333+00:00

Yes, git mode. Are you saying that if I could provide a dummy default value, it would work, but git mode prevents any default values from being stored?
Agelin, Jakob 21 Reputation points

2024-01-05T13:00:55.83+00:00

It's just not reasonable to me that I can set the output of an activity to secure, redacting it, then using that output as an input parameter set to securestring, but the input is printed out in plain text when debugging.
AnnuKumari-MSFT 34,561 Reputation points Microsoft Employee Moderator

2024-01-08T05:27:01.3033333+00:00

Hi Agelin, Jakob ,

Thankyou for raising your query on Microsoft Q&A platform . I have taken your query forward to the internal team . I will keep you posted once I hear back from them. Thankyou
AnnuKumari-MSFT 34,561 Reputation points Microsoft Employee Moderator

2024-02-22T09:10:44.9666667+00:00

Hi Agelin, Jakob ,

Below is the response from the internal team

"If passing securestring, recommendation is to set secure input/ output in all activities that are referring to the parameter. That's the very reason of secure input/ output in downstream activities.

The current observation is by design and is not a bug. User otherwise will not be able to see the value passed through the web activity which may be needed for debugging if the need be. "

Hope it helps. Thanks

Share via

Azure Data Factory, SecureString parameter printed out in plain text in debug monitoring logs

Your answer