Correct way to use secret variable in PowerShell script - powershell

What is the correct way to use a secret variable in a PowerShell script? It may be a pipeline variable, a variable group one, or a variable brought in from an Azure Key Vault task.
I have seen in the documentation that it cannot be used in the same way as a normal (non-secret) variable. It says "Instead, we suggest that you map your secrets into environment variables." and "You need to explicitly map secret variables."
I have used an environment variable and it works. Are there other ways to do it? This blog says you can use it directly in the script, which seems to contradict the MS document.
This one passes the variable as an argument or parameter to the scripts. Does anyone know what is actually going on behind the scenes?

have seen in the documentation that it cannot be used in the same way as a normal (non-secret) variable. It says "Instead, we suggest that you map your secrets into environment variables." and "You need to explicitly map secret variables."
The doc is misunderstood, it's not saying the secret variables cannot be used in the same way as a normal variable, instead, it says it's not suggested to pass secrets on the command line directly since some operating systems log command line arguments which could cause information leakage as mentioned, and it's suggested to map your secrets into environment variables.
This blog says you can use it directly in the script, which seems to contradict the MS document.
As mentioned above, the secrets can be used directly in the script although it's not suggested, so they are not contradictory.
You can also check the example in the MSDN doc:
steps:
- powershell: |
# Using an input-macro:
Write-Host "This works: $(mySecret)"
# Using the env var directly:
Write-Host "This does not work: $env:MYSECRET"
# Using the mapped env var:
Write-Host "This works: $env:MY_MAPPED_ENV_VAR" # Recommended
env:
MY_MAPPED_ENV_VAR: $(mySecret)
and you will see in the first line of the powershell script, the secret variable is used directly in the command.
In conclusion, i suggest we should follow the MSDN doc, map your secrets into environment variables and then use them.

Related

There does not seem to be a good substitute for core.exportVariable in github-script right now

Every time we use core.exportVariable which, as far as I know, is the canonical way to export a variable in #action/core and, consequently, in github-script, you get an error such as this one:
Warning: The set-env command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
That link leads to an explanation of environment files, which, well, are files. Problem is files do not seem to have such a great support in github-script. There's the #actions/io package, but there's no way to create a file with that.
So is there something I'm missing, or there is effectively no way to create an environment file form inside a github-script step?
You no longer need the actions/github-script nor any other special API to export an environment variable. According to the Environment Files documentation, you can simply write to the $GITHUB_ENV file directly from the workflow step like this:
steps:
- name: Set environment variable
run: echo "{name}={value}" >> $GITHUB_ENV
The step will expose given environment variable to subsequent steps in the currently executing workflow job.

How to set secret environment variable with logging commands in TFS Release

I'm passing a secret Release Task Variable to a PowerShell script and trying to set that value as an environment variable using logging commands so I can use it in other tasks in the same Release. I'm able to do this with a non-secret variable, but not with a secret one.
So, the following is working (I can see it using ls env: and also use it to connect to a tfs instance as a Personal Access Token) when PAT is a non-secret variable:
Inline Script Arguments: -token "$(PAT)"
Param(
[string]$token
)
Write-Host "##vso[task.setvariable variable=API_TOKEN;]$token"
I can only use the environment variable set above if I use it in a subsequent powershell task - it's not available within the task where PAT is passed.
But the following does not seem to be working when PAT is a secret variable:
Inline Script Arguments: -token "$(PAT)"
Param(
[string]$token
)
Write-Host "##vso[task.setvariable variable=API_TOKEN;issecret=true]$token"
(Note: I also tried changing API_TOKEN to something else like MYTOKEN, in case API_TOKEN is reserved, but still don't see MYTOKEN var at all if I do ls env: in a subsequent PowerShell task.)
How can I set an environment variable to a secret value passed from a Release Task, for use by that task or by other tasks in the Release? In other words, when or how can I access the environment variable set by the above-referenced logging commands with issecret=true? (I'm not actually sure I'm setting it properly, since I can't see it, but I assume I am since the non-secret version works.)
Not sure if it matters, but I have ticked the box in the release definition that says "Allow scripts to access OAuth token".
Update
There is more information here, but it's very confusing. I couldn't figure out how to set and access a secret environment variable - I suspect they are not actually environment variables, but in that case I don't understand why the logging commands are needed at all, since we can already pass secret variables to scripts. I was able to workaround by passing the secret variable from the Release Task directly to the PowerShell script, and then from there to other scripts, instead of trying to set/access the value as an environment variable.
Actually the logging command also works for secret variables (what you tried should work). As the logging command usage mentions:
When issecret is set to true, the value of the variable will be saved
as secret and masked out from log. Secret variables are not passed
into tasks as environment variables and must be passed as inputs.
You can use the script echo $(API_TOKEN) instead of ls env: (since secret variables are not showing by the command ls env:), then you will get ********.
And for the use of the secret variable $(API_TOKEN) in your following release tasks, the value should be passed as inputs (as the usage mentions).
There is no way to set a secret environment variable using the mentioned logging commands.

TFS2015 Release Management Powershell DSC Variable Use

I am using TFS2015 Release Management and Powershell DSC to manage the deployment of applications - previously I was using RM2013.
One thing I have noticed is that in RM2013, in my Powershell DSC scripts I was able to access variables such as $applicationPath - which was populated with the TFS Build Drop location, for use in the DSC scripts and MOF creation.
In RM2015 it doesn't appear that this works? I have tried using the variables listed here: https://msdn.microsoft.com/en-us/Library/vs/alm/Build/scripts/variables
However none of these ever seem to be populated?
Is there actually a way of using these RM2015 system & build variables from within a PS DSC script now?
Kind regards
Try to use the corresponding generated environment variables (for example $env:Build.DefinitionName).
If it not work try more ways such as $env:Build_DefinitionName or $(Build.BuildNumber) and $(Build_BuildNumber)
Just as the relevant documentation mentioned:
Any text input can reference a variable by using the $(variable_name)
syntax and will be substituted with the actual value at run-time. All
variables are also exported to the environment as upppercase and any .
are replaced with _. In scripts you can reference variables via the
environment, i.e. %VARIABLE_NAME%, $VARIABLE_NAME, $env:VARIABLE_NAME,
depeding on the operating system.

Read Octopus variables

I am new to octopus and have a bunch of steps. For each steps we have "Machine Roles".
As part of the steps I have a script tasks/step and I wish to access the roles assigned to this step in the (powershell) script. How can I achieve this.
I tried a few things, i.e. Octopus.Machine.Roles, Octopus.Tentacle.CurrentDeployment.TargetedRoles in the (powershell) script. But does not see anything.
As found in this example, if you have a variable in Octopus, you can access it using the variable name, prefixed with a $ in PowerShell, so for a variable TestUrl use:
$TestUrl
For Octopus Parameters, you use the following:
$OctopusParameters['Octopus.Machine.Roles']
This should give you access to all the system variables.

What is the environment variable name in PowerShell for MSBuildExtensionsPath

I've been looking everywhere to see which is the environment variable for the MSBuildExtensionsPath that I have in my TFS project file. How do I access this environment variable in PowerShell?
EDIT:
Out of the ones listed here, I am not sure which one I use.
The way you access env vars in PowerShell is:
$env:TF_BUILD_BINARIESDIRECTORY
That said, I don't see via your link an env var that corresponds to the MSBuild built-in variable MSBuildExtensionsPath. Why don't you pass that variable value into your PowerShell script as a parameter?