0

I use a TFS 2015 instance (it will be soon decommissioned). In a release definition I need to use some sensitive data (credentials). As of now I tried setting the secrets as in this guide but this is a feature supported only from TFS 2018 on. In fact, in TFS 2015 I cannot see the "Environment variables" section that is needed to decrypt the "locked" configurations.

What are the possible options here to have a per-project set of encrypted sensitive data that I can then retrieve and use in the release scripts? Is there any credential manager (like the one in Jenkins) in TFS 2015?

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
gvdm
  • 3,006
  • 5
  • 35
  • 73

1 Answers1

0

Each pipeline has a list of variables. Each variable has a little icon you can click to keep the value secret. In 2015 I don't think there's a Variable Library option yet, if I remember correctly that was added in a later version.

Here's the official docs that describe setting a variable in Team Foundation Server 2015.

You can set a variable for a build pipeline by following these steps:

  1. Go to the Pipelines page, select the appropriate pipeline, and then select Edit.
  2. Locate the Variables for this pipeline.
  3. Add or update the variable.
  4. To mark the variable as secret, select Keep this value secret.
  5. Save the pipeline.

After the variable is set, you can use it as an input to a task or within the scripts in your pipeline. To use a variable as an input to a task, wrap it in $().

If you wrap your script in a custom task, you can use a "Service Connection" to store the secret and select it from a task.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
  • Yes, I already tested the "locks". In the "Configuration" tab of the release definition I created a "mysecret" variable with a "test" value and locked it with the lock icon. Then in the release I added a Powershell task with this code `write-output "Variable: $(mysecret)"` but it outputs `variable: ********`. So it seems that TFS 2015 is not decrypting the locked variables – gvdm Jul 04 '23 at 11:10
  • 1
    The values are redacted from the logs to prevent accidental disclosure. If you pass the value into a file or set an environment variable or pass it as an argument to a script/executable it should work. – jessehouwing Jul 04 '23 at 11:38
  • Ok I tried assigning it to an environment variable `$env:MyVar = "$(secretconf)"; write-output "variable: $env:MyVar"` Same output: `variable: ********` – gvdm Jul 04 '23 at 12:02
  • 1
    Update: as @jessehouwing told, the variable is correctly assigned also if the write-output shows only asterisks. Thanks. you saved my day :) – gvdm Jul 04 '23 at 12:21
  • If you want to output the variable to the console, you can reverse it or base 64 encode it. or ROT13. Or basically any other method of temporarily mutating the variable in a way that can later be reversed. – Daniel Mann Jul 04 '23 at 13:52
  • For TFS2015, that will certainly work. For later versions, the agent will detect a few common transformations out of the box and mask those too. – jessehouwing Jul 04 '23 at 14:11