Offline Package Drop and Sensitive Variables password

We are trying to implement some automation where we can create offline package drops through an Terraform / Ansible / Azure Devops Pipelines CI/CD process. So far we’ve been able to accomplish everything we need by using the REST API and can create the target and tenant etc, but we can’t seem to be able to set the sensitive encryption password through the API. Is there something we need to do different or is there another mechanism, like the command cli or octopus task etc, to set this without someone physically going into the Octopus portal and setting it manually?

We also put most of our secrets into Azure Keyvault so is it possible to maybe store it there and pull it when we initiate a package build somehow?

Hi Matt,
Thanks for reaching out.

I wasn’t sure from your query exactly how you needed to use the sensitive encryption password, but I can say that we do support Azure Key vault, and we have a specific library step for that feature.

In fact my colleague wrote an excellent blog post last year on this step and it has lots of useful info:

Perhaps this will be enough to get you up and running but if not, would you be able to explain a bit more about your process and we can see if we can help you.

Kind Regards,

So essentially what I’m trying to accomplish is automating our octopus tenant and tentacle creation process. We are using terraform and Ansible to create virtual machines in Azure and we have PowerShell scripts that create the listening tentacles or offline deployment targets using the REST API. We can create the offline drop targets, but we can’t seem to be able to POST the sensitive value password through the API. This means that when we try to initiate a deployment to that target it will fail because the password isn’t set and can’t process the sensitive variables in our tenant variables. What I’m looking for is either a way to set that sensitive variable password on the target through the API or other method or if we could store that password in Az Keyvault and pull it when we initiate the deployment.

Hi Matt,
Sorry for the delay in getting back to you.

Our team did some testing with an API script to update your machine sensitive encrypted variable scenario and we can see its possible to do that via an API PS script. I’ve posted it here with only some variables updated, but importantly the SensitiveVariablesEncryptionPassword field.

This should be enough of a template to help you POST your encrypted variable to the target. However for complexity reasons we can’t provide a complete solution.

You will need to modify to insert your own machine name, machine policy, API key, Server URL and encrypted password to send. You can verify some of these values using the swaggerui as well as using the web portal and inspecting the payload in Dev tools.

I will also briefly mention that we have DSC to create Tentacles from scratch and might save you some work:

Let me know how you get on.

$ErrorActionPreference = "Stop";
# Define working variables
$octopusURL = "http://your.octopus.server"
$header = @{ "X-Octopus-ApiKey" = $octopusAPIKey }
$spaceName = "Default"
$myPassword = "test"
# Get space
$spaces = Invoke-RestMethod -Uri "$octopusURL/api/spaces?partialName=$([uri]::EscapeDataString($spaceName))&skip=0&take=100" -Headers $header
$space = $spaces.Items | Where-Object { $_.Name -eq $spaceName }
# Define Offline Machine with json payload
$jsonPayload = @{
    MachinePolicyId = "MachinePolicies-1"
    Name = "Test4"
    IsDisabled = 'false'
    HealthStatus = "Unknown"
    HasLatestCalamari = 'true'
    Endpoint = @{
        CommunicationStyle = "OfflineDrop"
        Name = ""
        Destination = @{
            DestinationType = "Artifact"
        SensitiveVariablesEncryptionPassword = @{
            HasValue = 'true'
            NewValue = $myPassword
        ApplicationsDirectory = "test"
        OctopusWorkingDirectory = "test"
    TenantedDeploymentParticipation = "Untenanted"
    Roles = @("offline")
    EnvironmentIds = @("Environments-1")
    TenantIds = @()
    TenantTags = @()
# Create Machine
Invoke-RestMethod -Method POST -Uri "$octopusURL/api/$($space.Id)/machines" -Body ($jsonPayload | ConvertTo-Json -Depth 10) -Headers $header -ContentType "application/json"

I was doing the exact same PS script but when I was passing the SensitiveVariablesEncryptionPassword in the POST, I was passing it as a simple string type. Thanks.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.