1

I'd like to be able to allow a user to enter the value of a variable (e.g. Password) at run time. I looked at the Pre-Deployment Approval setting and Manual Intervention task, but can't figure out how to achieve this.

Our Ops team doesn't want us to save the Production server password in the Release Definition, even if it's masked/encrypted.

Thanks, Angie

AngieM
  • 735
  • 6
  • 27
  • Can you describe what kind of variable you want to enter at run-time?, just on the surface, this seems like a anti-pattern to automation. – raterus Jan 12 '18 at 14:31
  • Password to a Production server. The Ops team doesn't want us to store the Production server password in the Release Definition (yes, even if it's masked). It's not entirely anti-pattern, since we obviously have a task called "Manual Intervention" that allows the automation flow to be paused and looked at by "someone." I would like for that "someone" to be able to enter the value of that variable as well. – AngieM Jan 12 '18 at 14:37
  • Perhaps you could store the password in Azure KeyVault, then use "variable groups" in your release definition that can link to KeyVault entries. Personally that seems much more secure and automated than requiring an individual to hunt down a password each release, and paste it in somewhere, but I'll give your original question an answer here in a minute. – raterus Jan 12 '18 at 16:15

1 Answers1

2

I don't think this is going to be possible, and provide the security your Ops team desires. VSTS is a cloud-based system, so somewhere in the release definition, that parameter, however you choose to provide it, is going to be persisted in the logs somewhere.

Variable Groups that are linked to Azure KeyVault are the best answer I know of here. The password is safely stored in KeyVault, and never gets saved in the release definition.

Other options are to use Draft Releases, and the ability to edit tasks/parameters/etc. before you kick the release off, but with my first point, that is going to be logged.

raterus
  • 1,980
  • 20
  • 23
  • I found another thread that asks for this feature as well: https://stackoverflow.com/questions/39987514/interactive-variables-for-release-management?rq=1 (not Password, but the same desire to be able to change a variable's value interactively). Sounds like it's not technically possible at this time, but hopefully in the future. – AngieM Jan 12 '18 at 20:14