While setting up a deployment we are able to automatically retrieve passwords from a password management tool.
The following way has worked for us and reduced a manual password entry step from an operations standpoint.
Step 1: We retrieve the password from the password management tool and we set an octopus variable using Set-OctopusVariable -name "AppAccountPassword" -value $pass (step name : Get Password, machine role : octopus-server) to set up an octopus variable. Step 2: In our password usage step we use the following line to get the password set in Step 1 to hand it to a deployment command (schtasks or identity impersonate). $runAsPassword = $OctopusParameters["Octopus.Action[Get Password].Output[Octopus Server].AppAccountPassword"]
Although this works, the verbose logging in the deployment step ends up displaying the AppAccountPassword variable. We tried setting OctopusPrintVariables and OctopusPrintEvaluatedVariables to “false” at the project variable level and also at the Get-Password step level
Set-OctopusVariable -name "OctopusPrintVariables " -value $false
neither of these approaches disabled the view of the password in the task log level.
We also created a project level variable AppAccountPassword and marked it sensitive but it doesn’t seem that this variable is the same as the one defined in the first step.
We have temporarily taken away the “TaskLogView” permissions from every role except for the OctopusAdministrator so no one can see the Task Log tab. But we are hoping there is a better solution that you could provide us?
Thanks so much! (Sorry for the long post!)