Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Managing passwords in continuous deployment

Tags:

c#

asp.net-mvc

teamcity

continuous-integration

We are well into our deployment of continuous integration environment using TeamCity. As we work through the CI process and move toward continuous deployment, we have run into a problem with how we manage production passwords. For other changes in the config, we use the Web.Config transform. However, I don't really want to bake the production password in a build profile.

Before CI/CD, we would take the Web.config, use aspnet_regiis to decrypt the connection strings, change the password, then re-encrypt. Obviously, this is error prone and not at all in the spirit of CI/CD.

I've had several other thoughts that were basically all about using something in the deploy script to re-write and then encrypt the connection strings section of the file, but it seems like this must be a common problem and that there must be some generally accepted solution. But so far, I can't find it. Is there a "right way"?

Thanks!

like image 354
Jacob Avatar asked Feb 27 '12 19:02

Jacob

2 Answers

One possible solution, available since TeamCity 7.0, is to use typed parameters. You can define a parameter in TeamCity of type password, and pass it somehow to your build script (either as environment variable or as your build script property).

TeamCity stores values of such parameters in its own configuration files and in database in scrambled form. If password appears in build log or on build parameters page, it will be replaced with ***.

like image 133
Pavel Sher Avatar answered Oct 01 '22 01:10

Pavel Sher

Use config transformations. You can even build your own transformation that can handle encryption/decryption. The easiest way is encrypt the production strings in the release.web.config and use a transformation to handle replacing the connection strings.

http://msdn.microsoft.com/en-us/library/dd465318.aspx

http://sedodream.com/2010/09/09/ExtendingXMLWebconfigConfigTransformation.aspx

If this doesn't work for you, use a postbuild event to call aspnet_regiis. If you chose to extend the config transformation, you can do ANYTHING with it. The encryption keys could be on the moon as long as you can get to them.

like image 45
Darthg8r Avatar answered Oct 01 '22 02:10

Darthg8r
Sign in to Comment

Related questions

FileStream Read/Write method's limitation
C# - Splitting on a pipe with an escaped pipe in the data?
HttpContext.Current.Session is null
WPF Simple Validation Question - setting custom ErrorContent
Test for null values in C#
How to find what is using the connections in my connection pool
Using System.Net.WebClient with HTTPS certificate
Populating child property with Entity Framework SqlQuery
Why should I explicitly surround with "unchecked"?
Check if currently logged in user has persistent authcookie
TreatControlCAsInput issue. Is this a bug?
Using many dictionaries within dictionaries in my code
Expression.Call in simple lambda expression. Is it possible?
How to Remove Duplicate Matches in a MatchCollection
How to follow a .lnk file programmatically
Azure Table Storage expiration
C# compiled in mono - Detect OS
Why do shift operations always result in a signed int when operand is <32 bits
SpinLock and readonly fields
Initialize private readonly fields after Deserializing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!