Variable scope / verbose task log issue (Octopus version : 2.6.4.951)

anantharaman · 9 June 2015 14:13

While setting up a deployment we are able to automatically retrieve passwords from a password management tool.

The following way has worked for us and reduced a manual password entry step from an operations standpoint.

Step 1: We retrieve the password from the password management tool and we set an octopus variable using Set-OctopusVariable -name "AppAccountPassword" -value $pass  
       (step name : Get Password, machine role :  octopus-server) to set up an octopus variable.

Step 2: In our password usage step we use the following line to get the password set in Step 1 to hand it to a deployment command (schtasks or identity impersonate).
    $runAsPassword = $OctopusParameters["Octopus.Action[Get Password].Output[Octopus Server].AppAccountPassword"]

Although this works, the verbose logging in the deployment step ends up displaying the AppAccountPassword variable. We tried setting OctopusPrintVariables and OctopusPrintEvaluatedVariables to “false” at the project variable level and also at the Get-Password step level

Set-OctopusVariable -name "OctopusPrintVariables " -value $false

neither of these approaches disabled the view of the password in the task log level.

We also created a project level variable AppAccountPassword and marked it sensitive but it doesn’t seem that this variable is the same as the one defined in the first step.

We have temporarily taken away the “TaskLogView” permissions from every role except for the OctopusAdministrator so no one can see the Task Log tab. But we are hoping there is a better solution that you could provide us?

Thanks so much! (Sorry for the long post!)
Mani

Dalmiro · 9 June 2015 19:26

Hi Mani,

Thanks for getting in touch. Unfortunately this wont be possible using Set-OctopusVariable as this command does not support sensitive variables. When you pass down a value to Set-OctopusVariable, you do it as plain text, and there’s currently no way to tell the command to treat that value as sensitive.

What you could do is use a powershell script that uses the Octopus API to create a variable. Though i’m not 100% sure the value wont show up anywhere on your log when you import it from your password mgmt tool.

This gist will help you creating a sensitive variable for a project

gist.github.com

https://gist.github.com/Dalmirog/89626e8fd7833ed8de09

CreateOctopusVariable.ps1

#Config
$OctopusURL = "" #Octopus URL
 
$APIKey = "" #Octopus APIKey
 
$projectname = "" #Name of the project
 
$Name = "" #Name of the variable
 
$Value = "" #Value of the variable

This file has been truncated. show original

Pay special attention to line 38 to set the variable as sensitive

Hope that helps!

Dalmiro

Asaf · 19 November 2015 12:04

Just ran into this post while looking for a solution to an identical problem.
Would be great to add a -Sensitive flag to the Set-OctopusVariable command.

Dalmiro · 20 November 2015 13:23

Hi Asaf,

I’ve created a uservoice suggestion for this http://octopusdeploy.uservoice.com/forums/170787-general/suggestions/10792413-add-sensitive-switch-to-set-octopusparameter

Please drop by and add some votes to is if you’d like to see it implemented in the future

Dalmiro