-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keyvault references break if the secret value contains two percent symbols #4
Comments
GitHub Issue: vyadh#4
Great, thanks for this. I did try to take a crack at this a while ago, but I had some trouble doing something similar. I'll take this change out for a spin and see if I can reproduce the issue I had escaping it. It may very well be the double-interpolation as you mentioned - I think TeamCity resolves references once before the plugin sees them (which is actually helpful, as you can use environment-specific key vaults or keys by embedding an environment parameter). |
Cool thanks! After further testing, I think the second round of interpolation I mentioned was actually due to my use of the File Content Replacer build feature. So I think only one round of interpolation is relevant to this plugin. |
@vyadh, any chance you could take a look at testing this PR or give an update? |
Apologies, been meaning to merge this in for a while. What I need to do is write some tests and then go through some scenarios we use, such as where we use nested parameters (e.g. %keyvault:%kvname%-%kvregion%/secret%). It will be easier to find time for this once my new team comes on board, but unfortunately that's been paused for the moment because of recent events in the world. |
In teamcity, variables are denoted by an opening and closing percent symbol:
%my_var%
If a keyvault secret value contains two percent symbols (e.g.,
my%keyvault%secretValue
), the plugin fails to evaluate the secret value and returns the name of the parameter instead. It seems that the secret value is somehow being interpolated by teamcity as containing a variable name.Moreover, the variable interpolation seems to happen twice before being returned. Variables can be escaped by being duplicated
%%
. So I tried setting my secret value asmy%%keyvault%%secretValue
, but this still failed. When I quadrupled each%
symbol, it evaluated correctly.my%%%%keyvault%%%%secretValue
evaluates to my desired result ofmy%keyvault%secretValue
.To reproduce:
create a keyvault secret with value of
my%keyvault%secretValue
add a parameter
myparameter
in a teamcity build referencing the keyvault secret.Value should look like:
%keyvault:my-kv/my-secret-name%
create a teamcity build step with a powershell (or other cli) runner to echo the parameter:
echo '%myparameter%'
the build log will contain a line showing the parameter name where there should be a mask for the secret value:
[20:58:12] [Step 1/1] %myparameter%
change the keyvault secret value to
my%%%%keyvault%%%%secretValue
.run the build step again. Output should look something like this:
[20:58:12] [Step 1/1] ***********
The mask shows that the secret is being retrieved and evaluated successfully.
The text was updated successfully, but these errors were encountered: