VSTS secret variables are actually secret or not?












0















VSTS build definition has the option to create a secret variable. How secret is that variable? Is it safe to store the user credentials which is specific to a set of users? Can other users (who are not authorized to do it) can decrypt that variable?



I came across this article.



Assuming users have build modification access then is it possible to decrypt the variable?






azure-devops azure-pipelines azure-pipelines-build-task







share|improve this question





























    0















    VSTS build definition has the option to create a secret variable. How secret is that variable? Is it safe to store the user credentials which is specific to a set of users? Can other users (who are not authorized to do it) can decrypt that variable?



    I came across this article.



    Assuming users have build modification access then is it possible to decrypt the variable?






    azure-devops azure-pipelines azure-pipelines-build-task







    share|improve this question



























      0












      0








      0








      VSTS build definition has the option to create a secret variable. How secret is that variable? Is it safe to store the user credentials which is specific to a set of users? Can other users (who are not authorized to do it) can decrypt that variable?



      I came across this article.



      Assuming users have build modification access then is it possible to decrypt the variable?






      azure-devops azure-pipelines azure-pipelines-build-task







      share|improve this question
















      VSTS build definition has the option to create a secret variable. How secret is that variable? Is it safe to store the user credentials which is specific to a set of users? Can other users (who are not authorized to do it) can decrypt that variable?



      I came across this article.



      Assuming users have build modification access then is it possible to decrypt the variable?






      azure-devops azure-pipelines azure-pipelines-build-task




      azure-devops azure-pipelines azure-pipelines-build-task






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 23 '18 at 14:29









      jessehouwing

      67.7k9163237




      67.7k9163237










      asked Nov 23 '18 at 11:54









      Atul SurekaAtul Sureka

      1,06532243




      1,06532243
























          1 Answer
          1






          active

          oldest

          votes


















          2














          Variables stored are as secure as the agent that runs the build and the integrity of your build definition.



          Like you said, if a user can modify the Build Definition and has access to the secret they can pass it to a PowerShell or a Curl task etc. Or if the user can take control over a Build Task's script they can iterate all available secrets (build tasks are considered trusted by the Build System).



          Consider that everyone who has write-access over the work directories of the agent can access all secrets that are available to the Build Definitions that execute on the build agent. They can change the scripts used by Build Tasks and thus gain the same level of trust. Any build that runs after this change and until a new version of the task is pushed to the agent will be compromised in this scenario. In theory can every build definition "infect" the _tasks folder of the agent as well. Best way to protect against this is to use the Hosted Pool or to regularly reset your agent's VMs.



          YAML build definitions combined with Pull-Requests give you more control over the Change/approval process of build definitions.



          Using a Variable Library you can reduce the number of people who can add secret variables to their Build Definition.



          You must secure the Agent Pools and the Variable Libraries/Build Definitions in such ways that only limited and trusted users can access these resources. Optionally use single-use passwords that expire after a short time or temporarily grant these permissions.



          Remember that all changes to Build Definitions and Variable Libraries and Scripts in the Git Repository are tracked.



          The alternate ways to get access to the secrets do not apply to Azure DevOps as none have access to the Application Tier in Azure and access is strictly monitored by Microsoft.






          share|improve this answer


























          • For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

            – Colin B
            Nov 23 '18 at 18:32






          • 1





            Once retrieved from keyvault they're equally vulnerable.

            – jessehouwing
            Nov 23 '18 at 18:33











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53446247%2fvsts-secret-variables-are-actually-secret-or-not%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          Variables stored are as secure as the agent that runs the build and the integrity of your build definition.



          Like you said, if a user can modify the Build Definition and has access to the secret they can pass it to a PowerShell or a Curl task etc. Or if the user can take control over a Build Task's script they can iterate all available secrets (build tasks are considered trusted by the Build System).



          Consider that everyone who has write-access over the work directories of the agent can access all secrets that are available to the Build Definitions that execute on the build agent. They can change the scripts used by Build Tasks and thus gain the same level of trust. Any build that runs after this change and until a new version of the task is pushed to the agent will be compromised in this scenario. In theory can every build definition "infect" the _tasks folder of the agent as well. Best way to protect against this is to use the Hosted Pool or to regularly reset your agent's VMs.



          YAML build definitions combined with Pull-Requests give you more control over the Change/approval process of build definitions.



          Using a Variable Library you can reduce the number of people who can add secret variables to their Build Definition.



          You must secure the Agent Pools and the Variable Libraries/Build Definitions in such ways that only limited and trusted users can access these resources. Optionally use single-use passwords that expire after a short time or temporarily grant these permissions.



          Remember that all changes to Build Definitions and Variable Libraries and Scripts in the Git Repository are tracked.



          The alternate ways to get access to the secrets do not apply to Azure DevOps as none have access to the Application Tier in Azure and access is strictly monitored by Microsoft.






          share|improve this answer


























          • For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

            – Colin B
            Nov 23 '18 at 18:32






          • 1





            Once retrieved from keyvault they're equally vulnerable.

            – jessehouwing
            Nov 23 '18 at 18:33
















          2














          Variables stored are as secure as the agent that runs the build and the integrity of your build definition.



          Like you said, if a user can modify the Build Definition and has access to the secret they can pass it to a PowerShell or a Curl task etc. Or if the user can take control over a Build Task's script they can iterate all available secrets (build tasks are considered trusted by the Build System).



          Consider that everyone who has write-access over the work directories of the agent can access all secrets that are available to the Build Definitions that execute on the build agent. They can change the scripts used by Build Tasks and thus gain the same level of trust. Any build that runs after this change and until a new version of the task is pushed to the agent will be compromised in this scenario. In theory can every build definition "infect" the _tasks folder of the agent as well. Best way to protect against this is to use the Hosted Pool or to regularly reset your agent's VMs.



          YAML build definitions combined with Pull-Requests give you more control over the Change/approval process of build definitions.



          Using a Variable Library you can reduce the number of people who can add secret variables to their Build Definition.



          You must secure the Agent Pools and the Variable Libraries/Build Definitions in such ways that only limited and trusted users can access these resources. Optionally use single-use passwords that expire after a short time or temporarily grant these permissions.



          Remember that all changes to Build Definitions and Variable Libraries and Scripts in the Git Repository are tracked.



          The alternate ways to get access to the secrets do not apply to Azure DevOps as none have access to the Application Tier in Azure and access is strictly monitored by Microsoft.






          share|improve this answer


























          • For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

            – Colin B
            Nov 23 '18 at 18:32






          • 1





            Once retrieved from keyvault they're equally vulnerable.

            – jessehouwing
            Nov 23 '18 at 18:33














          2












          2








          2







          Variables stored are as secure as the agent that runs the build and the integrity of your build definition.



          Like you said, if a user can modify the Build Definition and has access to the secret they can pass it to a PowerShell or a Curl task etc. Or if the user can take control over a Build Task's script they can iterate all available secrets (build tasks are considered trusted by the Build System).



          Consider that everyone who has write-access over the work directories of the agent can access all secrets that are available to the Build Definitions that execute on the build agent. They can change the scripts used by Build Tasks and thus gain the same level of trust. Any build that runs after this change and until a new version of the task is pushed to the agent will be compromised in this scenario. In theory can every build definition "infect" the _tasks folder of the agent as well. Best way to protect against this is to use the Hosted Pool or to regularly reset your agent's VMs.



          YAML build definitions combined with Pull-Requests give you more control over the Change/approval process of build definitions.



          Using a Variable Library you can reduce the number of people who can add secret variables to their Build Definition.



          You must secure the Agent Pools and the Variable Libraries/Build Definitions in such ways that only limited and trusted users can access these resources. Optionally use single-use passwords that expire after a short time or temporarily grant these permissions.



          Remember that all changes to Build Definitions and Variable Libraries and Scripts in the Git Repository are tracked.



          The alternate ways to get access to the secrets do not apply to Azure DevOps as none have access to the Application Tier in Azure and access is strictly monitored by Microsoft.






          share|improve this answer















          Variables stored are as secure as the agent that runs the build and the integrity of your build definition.



          Like you said, if a user can modify the Build Definition and has access to the secret they can pass it to a PowerShell or a Curl task etc. Or if the user can take control over a Build Task's script they can iterate all available secrets (build tasks are considered trusted by the Build System).



          Consider that everyone who has write-access over the work directories of the agent can access all secrets that are available to the Build Definitions that execute on the build agent. They can change the scripts used by Build Tasks and thus gain the same level of trust. Any build that runs after this change and until a new version of the task is pushed to the agent will be compromised in this scenario. In theory can every build definition "infect" the _tasks folder of the agent as well. Best way to protect against this is to use the Hosted Pool or to regularly reset your agent's VMs.



          YAML build definitions combined with Pull-Requests give you more control over the Change/approval process of build definitions.



          Using a Variable Library you can reduce the number of people who can add secret variables to their Build Definition.



          You must secure the Agent Pools and the Variable Libraries/Build Definitions in such ways that only limited and trusted users can access these resources. Optionally use single-use passwords that expire after a short time or temporarily grant these permissions.



          Remember that all changes to Build Definitions and Variable Libraries and Scripts in the Git Repository are tracked.



          The alternate ways to get access to the secrets do not apply to Azure DevOps as none have access to the Application Tier in Azure and access is strictly monitored by Microsoft.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 23 '18 at 14:20

























          answered Nov 23 '18 at 13:44









          jessehouwingjessehouwing

          67.7k9163237




          67.7k9163237













          • For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

            – Colin B
            Nov 23 '18 at 18:32






          • 1





            Once retrieved from keyvault they're equally vulnerable.

            – jessehouwing
            Nov 23 '18 at 18:33



















          • For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

            – Colin B
            Nov 23 '18 at 18:32






          • 1





            Once retrieved from keyvault they're equally vulnerable.

            – jessehouwing
            Nov 23 '18 at 18:33

















          For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

          – Colin B
          Nov 23 '18 at 18:32





          For more security use something like Azure Key Vault docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…

          – Colin B
          Nov 23 '18 at 18:32




          1




          1





          Once retrieved from keyvault they're equally vulnerable.

          – jessehouwing
          Nov 23 '18 at 18:33





          Once retrieved from keyvault they're equally vulnerable.

          – jessehouwing
          Nov 23 '18 at 18:33




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53446247%2fvsts-secret-variables-are-actually-secret-or-not%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Create new schema in PostgreSQL using DBeaver

          Image
          0 At the beginning of my current job I had limited access to DB but recently my role is changed to superuser, admin, and owner. My colleague who was the previous DB admin is able to create a schema or change the permissions as there is a permission tab in the properties and he can change permissions by clicking easily. Would you please let me know how I can create schema and change permissions as well? Why his dbeaver looks different from me? He can easily right click on the schema folder on top of all schemas on the left side column and select create new schema while I do not have that, like the following picture I found on the internet. postgresql database-schema dbeaver share | improve this question
          Read more

          Deepest pit of an array with Javascript: test on Codility

          Image
          0 $begingroup$ This is the question from a Codility test, as a task in an interview: DeepestPit - problem description A non-empty zero-indexed array A consisting of N integers is given. A pit in this array is any triplet of integers (P, Q, R) such that: ·         0 ≤ P < Q < R < N; ·         sequence [A[P], A[P+1], ..., A[Q]] is strictly decreasing, i.e. A[P] > A[P+1] > ... > A[Q]; ·         sequence A[Q], A[Q+1], ..., A[R] is strictly increasing, i.e. A[Q] < A[Q+1] < ... < A[R]. The depth of a pit (P, Q, R) is the number min {A[P] − A[Q], A[R] − A[Q]}. For example, consider array A consisting of 10 elements such that: A[0] = 0 A[1] = 1 A[2] = 3 A[3] = -2 A[4] = 0 A[5] = 1 A[6] = 0 A[7] = -3 A[8] = 2 A[9] = 3 Triplet (2, 3, 4) is
          Read more

          Costa Masnaga

          Image
          .mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce o sezione sull'argomento Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti . Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Costa Masnaga comune Localizzazione Stato   Italia Regione Lombardia Provincia Lecco Amministrazione Sindaco Sabina Panzeri (Al centro il cittadino) dall'08/06/2009 Territorio Coordinate 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Coordinate: 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Altitudine 318 m s.l.m
          Read more