Use hidden / secret variables in commands #388

Closed
MiguelAlho opened this Issue Aug 11, 2015 · 13 comments

Comments

Projects
None yet
6 participants
@MiguelAlho

Do secret / hidden variables defined at the build level get excluded from calls to commands, if they are a part of that command, in TFS?

for instance, in order to tag the repo with the version number, I'm trying to do the following:

git push https://${env:tagUser}:${env:tagPass}@${env:tagUrl} $versionString

in a powershell script. The three env: variables are defined as build variables. tagPass is the only one that is hidden. tagUser and tagUrl get substituted in the command; tagPass may or may not - the logged error message message excludes the text (as expected). The command fails only if tagPass is marked as hidden. If I save it as unhidden, the push works correctly.

My thought here is that since it is a call to a command (something that may interact with stdout), the variable value is stripped from the command, and authentication fails because of that. Is my assumption correct, and if so, any recommended work arounds?

@bryanmacfarlane

This comment has been minimized.

Show comment
Hide comment
@bryanmacfarlane

bryanmacfarlane Aug 11, 2015

Member

Does
$(tagUser)@$(tagPass)... work?
note our vars are replaced with parens and no env:

Member

bryanmacfarlane commented Aug 11, 2015

Does
$(tagUser)@$(tagPass)... work?
note our vars are replaced with parens and no env:

@bryanmacfarlane

This comment has been minimized.

Show comment
Hide comment
@bryanmacfarlane

bryanmacfarlane Aug 11, 2015

Member

@(var) should get replaced on all inputs including secrets

Member

bryanmacfarlane commented Aug 11, 2015

@(var) should get replaced on all inputs including secrets

@chrisrpatterson

This comment has been minimized.

Show comment
Hide comment
@chrisrpatterson

chrisrpatterson Aug 11, 2015

Member

You need to use $(tagUser) not ${env:tagUser}

Member

chrisrpatterson commented Aug 11, 2015

You need to use $(tagUser) not ${env:tagUser}

@MiguelAlho

This comment has been minimized.

Show comment
Hide comment
@MiguelAlho

MiguelAlho Aug 11, 2015

With:

 git push https://$(tagUser):$(tagPass)@$(tagRepoUrl) ...

I get a bunch of errors: such as

tagUser : The term 'tagUser' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Same if I use the @(tagPass) syntax :
CategoryInfo : ObjectNotFound: (tagPass:String) [], CommandNotFoundException

Note, in the step, I'm not passing the params / args to the script, but trying to laod them from the variables list

With:

 git push https://$(tagUser):$(tagPass)@$(tagRepoUrl) ...

I get a bunch of errors: such as

tagUser : The term 'tagUser' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Same if I use the @(tagPass) syntax :
CategoryInfo : ObjectNotFound: (tagPass:String) [], CommandNotFoundException

Note, in the step, I'm not passing the params / args to the script, but trying to laod them from the variables list

@MiguelAlho

This comment has been minimized.

Show comment
Hide comment
@MiguelAlho

MiguelAlho Aug 11, 2015

After I had posted the issued, I went out a different path, that seems to work (I did test your suggestions though).

What workd for me:

Set local variables with the arguments passed to the script:

[string]$tagUser = $args[0]
[string]$tagPass = $args[1]
[string]$tagRepoUrl = $args[2]

add use the local vars in the script:

git push https://${tagUser}:${tagPass}@${tagRepoUrl} $GitVersionJson.MajorMinorPatch --porcelain

this actually works and the log message has the password replaced with *'s

After I had posted the issued, I went out a different path, that seems to work (I did test your suggestions though).

What workd for me:

Set local variables with the arguments passed to the script:

[string]$tagUser = $args[0]
[string]$tagPass = $args[1]
[string]$tagRepoUrl = $args[2]

add use the local vars in the script:

git push https://${tagUser}:${tagPass}@${tagRepoUrl} $GitVersionJson.MajorMinorPatch --porcelain

this actually works and the log message has the password replaced with *'s

@chrisrpatterson

This comment has been minimized.

Show comment
Hide comment
@chrisrpatterson

chrisrpatterson Aug 11, 2015

Member

I see you are trying to use variables in your script, I missed that somehow. The variable replacement we do is on the inputs on the tasks, we don't parse the scripts. To use secret variables you will have to take those as inputs into your script we explicitly do not populate those into the environment. Other variables you should be able to reference as normal environment variables if you want.

Member

chrisrpatterson commented Aug 11, 2015

I see you are trying to use variables in your script, I missed that somehow. The variable replacement we do is on the inputs on the tasks, we don't parse the scripts. To use secret variables you will have to take those as inputs into your script we explicitly do not populate those into the environment. Other variables you should be able to reference as normal environment variables if you want.

@MiguelAlho

This comment has been minimized.

Show comment
Hide comment
@MiguelAlho

MiguelAlho Aug 11, 2015

Thanks guys! I think this might be worth including in some future documentation, since it isn't clear (and to a powershell noob like myself, tough to discover).

Thanks guys! I think this might be worth including in some future documentation, since it isn't clear (and to a powershell noob like myself, tough to discover).

@tuespetre

This comment has been minimized.

Show comment
Hide comment
@dennisroche

This comment has been minimized.

Show comment
Hide comment
@dennisroche

dennisroche Jan 14, 2016

@MiguelAlho

If using PowerShell, you can access secret variables using Get-TaskVariable function from Microsoft.TeamFoundation.DistributedTask.Task.Internal module.

Example:

Import-Module "Microsoft.TeamFoundation.DistributedTask.Task.Internal"

$username = Get-TaskVariable -Context $distributedTaskContext -Name "ApiUsername"
$password = Get-TaskVariable -Context $distributedTaskContext -Name "ApiPassword"

$cred = New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -String $password -AsPlainText -Force))

The ApiPassword is marked as secret in the build definition and will be logged to the console as *******.

@MiguelAlho

If using PowerShell, you can access secret variables using Get-TaskVariable function from Microsoft.TeamFoundation.DistributedTask.Task.Internal module.

Example:

Import-Module "Microsoft.TeamFoundation.DistributedTask.Task.Internal"

$username = Get-TaskVariable -Context $distributedTaskContext -Name "ApiUsername"
$password = Get-TaskVariable -Context $distributedTaskContext -Name "ApiPassword"

$cred = New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -String $password -AsPlainText -Force))

The ApiPassword is marked as secret in the build definition and will be logged to the console as *******.

@chrisrpatterson

This comment has been minimized.

Show comment
Hide comment
@chrisrpatterson

chrisrpatterson Jan 14, 2016

Member

That will only work from a task it will not work from a arbitrary powershell script.

Member

chrisrpatterson commented Jan 14, 2016

That will only work from a task it will not work from a arbitrary powershell script.

@carlosrfernandez

This comment has been minimized.

Show comment
Hide comment
@carlosrfernandez

carlosrfernandez Jun 8, 2016

@chrisrpatterson can you expand on your last comment?

I'm actually creating a build task, and upon executing the associated Powershell script, I'm getting this
Cannot bind argument to parameter 'Context' because it is null.

Thanks

@chrisrpatterson can you expand on your last comment?

I'm actually creating a build task, and upon executing the associated Powershell script, I'm getting this
Cannot bind argument to parameter 'Context' because it is null.

Thanks

@tuespetre

This comment has been minimized.

Show comment
Hide comment
@tuespetre

tuespetre Jun 8, 2016

@carlosrfernandez ask on StackOverflow or get on the AspNetCore Slack (I created a #vsts-tfs channel in there.) I will be glad to help.

@carlosrfernandez ask on StackOverflow or get on the AspNetCore Slack (I created a #vsts-tfs channel in there.) I will be glad to help.

@carlosrfernandez

This comment has been minimized.

Show comment
Hide comment
@carlosrfernandez

carlosrfernandez Jun 9, 2016

@tuespetre Thanks, I've joined the Slack team.

In the end I've solved the issue by reading up on the new SDK documentation.

I can get access to the secret variable using this:
$sourcesDirectory = Get-VstsTaskVariable -Name "Build.SourcesDirectory"

@tuespetre Thanks, I've joined the Slack team.

In the end I've solved the issue by reading up on the new SDK documentation.

I can get access to the secret variable using this:
$sourcesDirectory = Get-VstsTaskVariable -Name "Build.SourcesDirectory"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment