azure-devopsrelease-managementms-release-managementazure-pipelines-release-pipeline

VSTS Release Variables Enter Value at Run Time


I'd like to be able to allow a user to enter the value of a variable (e.g. Password) at run time. I looked at the Pre-Deployment Approval setting and Manual Intervention task, but can't figure out how to achieve this.

Our Ops team doesn't want us to save the Production server password in the Release Definition, even if it's masked/encrypted.

Thanks, Angie


Solution

  • I don't think this is going to be possible, and provide the security your Ops team desires. VSTS is a cloud-based system, so somewhere in the release definition, that parameter, however you choose to provide it, is going to be persisted in the logs somewhere.

    Variable Groups that are linked to Azure KeyVault are the best answer I know of here. The password is safely stored in KeyVault, and never gets saved in the release definition.

    Other options are to use Draft Releases, and the ability to edit tasks/parameters/etc. before you kick the release off, but with my first point, that is going to be logged.