Auto deploy doesn't use current AWS Account Credentials

(ben.byers) #1

We use the AWS Account feature of Octopus to store the api/key secret for accessing AWS resources. However we are required to rotate those values periodically. That works smoothly for new and manual deployments of existing releases. When the release deploys it always grabs the current key/secret. There is no need to update the release’s variable snapshot. (all this is good)

However, when an auto deploy for an existing release is triggered it does NOT retrieve the current AWS key/secret values. This is a significant problem for our AWS projects that have autoscaling enabled. The only work around we’ve found is to redeploy all releases that use the AWS variable (and have triggers) after rotating the keys. We don’t have to create a new release, but we do have to manually deploy to each environment.

Is there a workaround to this that we’re missing and if not can the auto deploy process be updated (or at least have the option) to use the current account keys. I fully understand that, by design, the auto deploy always uses the variable snapshot it was deployed with (and that makes a degree of sense), but this seems like a special use case. FWIW I think there should be a way to explicitly update the auto deploy variable snapshot, but that’s a fight for another day.

(Dane Falvo) #3

Hi Ben,

Thank you for bringing this to our attention. I have raised it with some of the engineers here.

What you are describing is the currently implemented solution. A deploy that is triggered, will use the snapshotted variables that were created at the time the release was created. As you say, it kind of makes sense, however, it is not likely that you would ever want to use a snapshotted version of an account connection, especially one with an old key.

Presently, the workaround that you’ve described is one solution. The other solution is an auto-deploy override.

The good news is, your ticket has been immortalized within our bug reports.

Feel free to keep an eye on the ticket for updates however, because your ticket is linked - if the bug gets fixed, we will let you know.