9

This documentation states that secret variables are

Not decrypted into environment variables. So scripts and programs run by your build steps are not given access by default.

One of my build tasks require that an environment variable be set that is stored in a secret variable. Does this mean it's impossible to do this using secret varaibles in VSTS? If not, how do I do this?

For further background, I'm trying to code sign my electron app using electron-builder. It requires that two environment variables be set: CSC_LINK and CSC_KEY_PASSWORD. One of these is the password to a code signing certificate so needs to be kept secure.

Richard II
  • 853
  • 9
  • 31
ajbeaven
  • 9,265
  • 13
  • 76
  • 121

3 Answers3

7

Set Environment Variable

Use a Command Line task, like this:

VSTS Build - copy secret var to environment var

target_environment_variable now contains the value of secret_variable.

Verify

Add a subsequent Command Line task that writes all environment variables to a disk file, like this: (note: in the Arguments text box, write to a folder that both you and build agent can access):

VSTS Build - write env vars to disk


Queue the build definition, then view the file containing the environment variables:

VSTS Build - view file of env vars

Richard II
  • 853
  • 9
  • 31
  • 2
    Should this work if the environment variable name is the same as the secret variable name? So in your example above, if you changed 'TARGET_ENVIRONMENT_VARIABLE' to 'secret_variable', does it work for you? I have found that if I try to set an env variable that has the same name as the secret variable, the variable is not actually set. – briandunnington Jun 20 '19 at 22:47
  • @briandunnington, I haven't tried that variation, and am not in a position to try it ATM. However, I'm not surprised by the behavior you describe--pipeline processing code likely checks for this specific scenario and prevents it. If this were to work as you were hoping, downstream steps referencing the variable name wouldn't know whether the environment variable or the secret variable was intended. (Of course, they would have the same value right after your "task.setvariable" invocation, but nothing prevents modifying either of them individually during a later step.) – Richard II Jun 26 '19 at 13:46
  • Future (human) maintainers of the pipeline would also be affected by the ambiguity. – Richard II Jun 26 '19 at 13:47
  • 2
    I spelunked the KeyVault task source code and confirmed this behavior. The exact quote in the source code says "once a secret, always a secret" and it specifically wont allow a secret pipeline variable to be set as an environment variable. I just ended up writing a couple lines of Powershell to achieve what I needed, but glad to know the root cause. – briandunnington Jun 27 '19 at 21:31
5

When using the YAML-syntax this can be achieved too:

steps:
- script: |
    echo %MYSECRET%
  env:
    MySecret: $(Secret_Variable)
Francis Dean
  • 2,386
  • 2
  • 22
  • 29
Lars Bilke
  • 4,940
  • 6
  • 45
  • 63
3

You can supply variables to pass to tasks in the Variables page of the build definition:

enter image description here

Then they can be passed in to a task as an input like so:

enter image description here

ajbeaven
  • 9,265
  • 13
  • 76
  • 121
  • 11
    This doesn't answer the original question of how to put the value of a secret variable into an *Environment* variable. *This* answer really just describes the standard way to reference *any* variable (secret or not) in a VSTS task parameter. – Richard II Oct 25 '19 at 13:37