Script Template not receiving parameter

I have a Powershell script that runs a command line utility. One of the parameters to the command line utility is a password.

So in my script template, I created a parameter for the password. Initially I created the parameter as sensitive, but then changed it to not sensitive.

When the command line utility executes, it gets an error indicating the password is incorrect. So I added a “Write-Host $variableName” to the script and it outputs ‘********’ This variable is no longer sensitive but it still outputs the asterisks.

Since this is a script template, I deleted the step and re-added thinking it wasn’t getting the updated script, but it still fails.

My suspicion is the ******** or some other value is passed to the command line utility.

Any suggestions on how I can debug or fix this?

Hi Mike,

After you updated your Step Template, did you update it in your Project? If you edit that step in your Project’s Deployment Process, it will show a notification if you haven’t. You will also be able to tell by whether the field has updated to be a simple text box rather than a password control.

Assuming you have, in your Project are you binding the value of that field to a Project Variable which is sensitive? i.e. is the value in the text box something like #{password}? If so, this will also cause it to be masked in the logs.

That masking you are seeing only happens when Octopus is writing sensitive-variables to the logs. It won’t be passing the stars to your executable. But what can cause issues are special characters in the password. In these cases, you must be careful how you handle the variable values in PowerShell.

For example, if your password variable value is pa$$word, then

Write-Host #{password}

will not work. You would need to do

Write-Host '#{password}'

One thing you could do is to use PowerShell to write the value of the variable into a file. This would allow you to see the actual value being supplied.

Please let me know if this helps. If not, we can certainly dig further.

Regards,
Michael

Michael,

Thanks for the reply.

Yes, I did update the template in the project.

The parameter did reference a variable, but it wasn’t sensitive (however it was at one time). I removed this reference on the parameter and typed the actual value in with the same result. There are special characters, but I am enclosing them in quotes like you show.

I also noticed if the script created a variable with the same name as a variable in the project, strange things occurred. I went through the script and made sure the variable names used in the script did not match the variable names in the project. I was hoping there was a way to turn off this behavior.

Thanks,
Mike

That does seem odd.

The log masking works on the value of variables. So if you have any sensitive variables with a value that matches a value being written into the logs, it will be masked. This can occassionally lead to over-eager masking, as described here. Is it possible this is occurring in your situation?

There are variables you can set which cause all your variables to be written to the log. Sensitive-values will still be masked, but this can assist with debugging.

Otherwise, perhaps write the value to a file as I suggested? There is no way to disable the log masking (for obvious reasons).

If you want to attach the relevant values printed as a result of setting those debug variables above, I would be happy to take a look in case I can see something (feel free to mark this conversation as private if it contains anything you would rather not have widely available).

Michael,

I finally found the problem. The project had a variable set that had a variable that was marked sensitive with the same value.

Apparently, your masking logic looks for any occurrence of a sensitive variable’s value and masks it, regardless of where the value came from.

Thanks for your help.
Mike