Variable scope / verbose task log issue (Octopus version :

While setting up a deployment we are able to automatically retrieve passwords from a password management tool.

The following way has worked for us and reduced a manual password entry step from an operations standpoint.

Step 1: We retrieve the password from the password management tool and we set an octopus variable using Set-OctopusVariable -name "AppAccountPassword" -value $pass  
       (step name : Get Password, machine role :  octopus-server) to set up an octopus variable.

Step 2: In our password usage step we use the following line to get the password set in Step 1 to hand it to a deployment command (schtasks or identity impersonate).
    $runAsPassword = $OctopusParameters["Octopus.Action[Get Password].Output[Octopus Server].AppAccountPassword"]

Although this works, the verbose logging in the deployment step ends up displaying the AppAccountPassword variable. We tried setting OctopusPrintVariables and OctopusPrintEvaluatedVariables to “false” at the project variable level and also at the Get-Password step level

Set-OctopusVariable -name "OctopusPrintVariables " -value $false

neither of these approaches disabled the view of the password in the task log level.

We also created a project level variable AppAccountPassword and marked it sensitive but it doesn’t seem that this variable is the same as the one defined in the first step.

We have temporarily taken away the “TaskLogView” permissions from every role except for the OctopusAdministrator so no one can see the Task Log tab. But we are hoping there is a better solution that you could provide us?

Thanks so much! (Sorry for the long post!)

Hi Mani,

Thanks for getting in touch. Unfortunately this wont be possible using Set-OctopusVariable as this command does not support sensitive variables. When you pass down a value to Set-OctopusVariable, you do it as plain text, and there’s currently no way to tell the command to treat that value as sensitive.

What you could do is use a powershell script that uses the Octopus API to create a variable. Though i’m not 100% sure the value wont show up anywhere on your log when you import it from your password mgmt tool.

This gist will help you creating a sensitive variable for a project

Pay special attention to line 38 to set the variable as sensitive

Hope that helps!


Just ran into this post while looking for a solution to an identical problem.
Would be great to add a -Sensitive flag to the Set-OctopusVariable command.

Hi Asaf,

I’ve created a uservoice suggestion for this

Please drop by and add some votes to is if you’d like to see it implemented in the future