Set-OctopusVariable to support -IsSensitive flag
The Set-OctopusVariable (and its counterparts for other scripting languages) should support an -IsSensitive flag such that if a variable is marked as sensitive it will not leak into a log.
We have begun work on this: https://github.com/OctopusDeploy/Issues/issues/4541
zhu jun commented
Please consider this seriously!!!! We have found that you could easily get the output variable out from api for deployment variables. e.g. http://octopus/api/variables/variableset-Deployments-xxxx. This is a big risk!
Tim May commented
Agreed. Our organisation uses KeePass as a store for protected secrets (usually passwords, but also API keys and other similar sensitive values. While we could copy these in to OD, we prefer the ability to use the scripting API and OD service account permissions to pull the correct (latest) value from the KeePass source-of-truth at deployment time. The downside, is that setting variables in script can not be marked sensitive, so we risk the values leaking into log statements.
has there been any more discussion in this area? Or is there another way to accomplish this?