The Script Console has been great for testing scripts on behalf of targets before adding them into the process. In Project -> Process -> “Run a Script” step we currently have the option to run scripts on the Octopus Server, Octopus Server on behalf of roles, and Deployment targets. It would be great to have the same options in the Script Console for testing. Otherwise, it’s hard to test the scripts from Octopus itself, especially for the "Run a Script"s step Execution Plan option “Octopus Server on behalf of roles”
Hi @DG,
Thanks for getting in touch! You are correct: you cannot target a Script Console script directly at the Octopus Server. We closed this down to close the potential for unwanted access to your Octopus Server.
Since that time we have done a lot of work to provide a better security model for running scripts on your Octopus Server. I’ll add some links at the end of this post.
Next steps
I recommend taking the following steps to achieve what you want, and improve the security of your Octopus Server:
- Start using a Worker instead of your Octopus Server. You can do this by installing a Tentacle agent on your Octopus Server machine and registering it as a worker. An alternative approach with even better security and scalability is to install a Tentacle agent on another machine entirely and use that as your worker. https://octopus.com/docs/infrastructure/workers
- Test your script steps on the Worker. Now that you have redirected this workload from your Octopus Server to a worker, you can select that worker in the Script Console.
Learn more
Here are some links which may help:
- https://octopus.com/docs/infrastructure/workers
- https://octopus.com/docs/administration/security/built-in-worker
- https://octopus.com/docs/administration/security/hardening-octopus
Hope that helps!
Mike
Ok, this sounds like it will help. Question, does a worker execute scripts under the same context as the Octopus Server? I’m assuming that since it will be registered as a Worker that scripts run on the worker will execute differently than scripts ran on on a Listening Tentacle machine used in deployments?
Hi @DG,
Thanks for keeping in touch!
does a worker execute scripts under the same context as the Octopus Server?
It depends on what you mean by “the same context”. You have a few options where you can make the worker equivalent to Octopus Server:
- Install the Tentacle agent on the same computer as Octopus Server, and set it to run as the same User Account as the Octopus Server. This will give you the best match for execution context. The upside is your scripts will execute on the same computer, with the same source IP address, using the same security principal. The downside is that worker can do anything the Octopus Server can do, including access sensitive configuration information and the Octopus Server’s database.
- Install the Tentacle agent on the same computer as Octopus Server, and set it to run as a different User Account. This is a nice hybrid approach where the script will execute in a similar context, but you can control which resources the worker can access.
- Install the Tentacle agent on a different computer to Octopus Server, and set it to run as a different User Account. This has the absolutely best security profile.
Apart from location and security principal, there should be no difference between how scripts run on the Octopus Server or a Worker.
Hope that helps!
Mike
Perfect, thank you!
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.