tfstfs-2017

Can I store TFS 2017 password for multiple build definitions in an encrypted file


In TFS 2015 we used Machine groups and weren't required to enter a Admin Login and Password for the "Powershell on Target Machines" task.

We are now using tfs 2017 and do not want to define the Admin Login and Password in every build definition since we have numerous. How can you overcome this? I was thinking about using a txt file with a SecureString password and in the build definition read it in, decrypt it and assign it to the Build definition variable


Solution

  • Use variable groups. Create a variable group for your shared secrets, then link the variable group to any build or release definitions that need access to the secrets. Going a step further, you could store the secrets in Azure KeyVault to provide a single source of truth for secrets.

    Storing secrets in source control using reversible encryption is just obfuscation, and from a security standpoint is only slightly better than storing it in plaintext.