Certificate Project Variable access denied to tenanted deployment

I have a project variable that is of type certificate. I scope the certificate value to specific machines for their usage. If I execute an untenanted deployment of this project then I have no issues, however if I attempt to do a tenanted deployment of this project, I get an error about the tenant I am deploying to does not have access to the certificate from other tenants (in the same environment). However the deployment shouldn’t be utilizing the certificate for the machine not in the tenant I am attempting to deploy to.

This means that every deployment with this project variable has to be untenanted and always deploy to every tenant/machine. So in the case where I would need to update the certificate for a single machine, every machine in that environment has to have the project redeployed to.

Is this the intended behavior for Certificate variables+objects in Octopus Deploy?
I would prefer not to have to associate certificates to tenants where machines would not be using them, and that cross-over feels inappropriate due to the fact they are not in fact intended for the tenant not using it.
There is no option to associate a certificate object with just a machine either; environment, and tenant are the only associations possible.

Hi there - thanks for reaching out!

I have a project variable that is of type certificate. I scope the certificate value to specific machines for their usage. If I execute an untenanted deployment of this project then I have no issues, however if I attempt to do a tenanted deployment of this project, I get an error about the tenant I am deploying to does not have access to the certificate from other tenants (in the same environment). However the deployment shouldn’t be utilizing the certificate for the machine not in the tenant I am attempting to deploy to.

Just like targets, certificates have to be associated with a tenant if you want to use them in a tenanted deployment. The deployment will use the certificate based on the variable scoping (machine in your case). The association just allows the certificate to be used in deployments for that tenant.

This is similar to the tenant association on the target or on an account in infrastructure.

I would prefer not to have to associate certificates to tenants where machines would not be using them, and that cross-over feels inappropriate due to the fact they are not in fact intended for the tenant not using it.

I don’t follow this completely. Can you expand on this a little more?

There is no option to associate a certificate object with just a machine either; environment, and tenant are the only associations possible.

The association with a machine would happen through the tenant + environment association. The certificate selection happens through the variable scoping.

I hope that helps. Let me know if you need any more information.

Best,
Ryan

  • Given I have Project A which uses a certificate from a project variable, with 3 Tenants (Tenant A, Tenant B, Tenant C) across 2 environments (Testing[Tenant A] and Production[Tenant B and Tenant C]). The project variable has values associated to individual targets (Target A, Target B, Target C), in which those targets only rely in their respective Tenant : A = A, B = B, C = C
    • I would expect that if I deployed the project to Tenant A(tenanted deployment) in Testing I would get no error, this is true.
    • I would expect that if I deployed the project to Tenant B(tenanted deployment) in Production I would get no error, this is not true.
      • The project release will not allow deployment showing an error that Tenant B does not have access to the certificate for Tenant C.
      • I can get around this by associating the certificate for Tenant C to Tenant B, additionally I can get around this by never doing a tenanted deployment to the Production environment.

Since the deployment to Tenant A in Testing environment works, I assume there is some implicit scoping to remove the Production environment certificate values for Tenant B and Tenant C. However in the case of deploying to Tenant B(tenanted) in the Production environment the deployment isn’t excluding values scoped to machines not in that deployment. So even though Target C is not in the deployment for this project the deployment is still attempting to access the value for that machine (which is a certificate associated with its Tenant) and not letting me proceed.

Would you be willing to have a call to discuss? It would help to see the configuration and error in a live setting.

If so, you can schedule a call with this link: https://a.goodtime.io/w/octopus-deploy/ryan.rousseau/advisory-call

Best,
Ryan

I can get a test platform setup to be able to display what I am seeing, I will get a time scheduled soon for evaluation.

Sounds good. Talk to you soon!

Hi Kevin,

I’ve created an issue based on your report: https://github.com/OctopusDeploy/Issues/issues/6666

You can follow it to get updates on any new information or fixes.

Best,
Ryan

1 Like