0

In TFS 2015 we used Machine groups and weren't required to enter a Admin Login and Password for the "Powershell on Target Machines" task.

We are now using tfs 2017 and do not want to define the Admin Login and Password in every build definition since we have numerous. How can you overcome this? I was thinking about using a txt file with a SecureString password and in the build definition read it in, decrypt it and assign it to the Build definition variable

Machavity
  • 30,841
  • 27
  • 92
  • 100
Anthony
  • 536
  • 1
  • 8
  • 27

1 Answers1

3

Use variable groups. Create a variable group for your shared secrets, then link the variable group to any build or release definitions that need access to the secrets. Going a step further, you could store the secrets in Azure KeyVault to provide a single source of truth for secrets.

Storing secrets in source control using reversible encryption is just obfuscation, and from a security standpoint is only slightly better than storing it in plaintext.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
  • From what I see in that post, This is specific to a project. Is there any way to create these groups at the highest level so all team build definitions have access to them? We have 10 projects under our collection. I would have to change this password in 10 places instead of 1. – Anthony Sep 07 '18 at 16:03
  • You could use Azure KeyVault: https://learn.microsoft.com/en-us/vsts/pipelines/library/variable-groups?view=vsts#link-secrets-from-an-azure-key-vault-as-variables – Daniel Mann Sep 07 '18 at 16:05
  • On-Prem instance of TFS – Anthony Sep 07 '18 at 16:06
  • 1
    @Anthony Ah, right. That hasn't made its way on-prem yet. No, there's no variable group equivalent at the Team Project Collection level. Each team project has its own variable groups. – Daniel Mann Sep 07 '18 at 16:09