0

I use a TFS 2015 instance (it will be soon decommissioned). In a release definition I need to use some sensitive data (credentials). As of now I tried setting the secrets as in this guide but this is a feature supported only from TFS 2018 on. In fact, in TFS 2015 I cannot see the "Environment variables" section that is needed to decrypt the "locked" configurations.

What are the possible options here to have a per-project set of encrypted sensitive data that I can then retrieve and use in the release scripts? Is there any credential manager (like the one in Jenkins) in TFS 2015?

Improve this question

1 Answer 1

Reset to default
0
Answer recommended by CI/CD Collective

Each pipeline has a list of variables. Each variable has a little 🔒 icon you can click to keep the value secret. In 2015 I don't think there's a Variable Library option yet, if I remember correctly that was added in a later version.

Here's the official docs that describe setting a variable in Team Foundation Server 2015.

You can set a variable for a build pipeline by following these steps:

  1. Go to the Pipelines page, select the appropriate pipeline, and then select Edit.
  2. Locate the Variables for this pipeline.
  3. Add or update the variable.
  4. To mark the variable as secret, select Keep this value secret.
  5. Save the pipeline.

After the variable is set, you can use it as an input to a task or within the scripts in your pipeline. To use a variable as an input to a task, wrap it in $().

If you wrap your script in a custom task, you can use a "Service Connection" to store the secret and select it from a task.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Yes, I already tested the "locks". In the "Configuration" tab of the release definition I created a "mysecret" variable with a "test" value and locked it with the lock icon. Then in the release I added a Powershell task with this code write-output "Variable: $(mysecret)" but it outputs variable: ********. So it seems that TFS 2015 is not decrypting the locked variables
The values are redacted from the logs to prevent accidental disclosure. If you pass the value into a file or set an environment variable or pass it as an argument to a script/executable it should work.
Ok I tried assigning it to an environment variable $env:MyVar = "$(secretconf)"; write-output "variable: $env:MyVar" Same output: variable: ********
Update: as @jessehouwing told, the variable is correctly assigned also if the write-output shows only asterisks. Thanks. you saved my day :)
If you want to output the variable to the console, you can reverse it or base 64 encode it. or ROT13. Or basically any other method of temporarily mutating the variable in a way that can later be reversed.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.