Add ability to read the value of sensitive variables via API

[pawelpabich]

User story

Users would like to treat Octopus as a secret/password manager. At the moment they can store values easily but there is no easy way to retrieve them and this is by design.

Based on the information we have right now users would like to treat Octopus as the source of truth when it comes to storing secrets which means there needs to be a way of retrieving the values of sensitive variables via API.

Next steps

• [ ] Collect links to as many previous conversations as possible
• [ ] Prepare RFC

Conversations

Please add here links to other similar conversations. Started by: https://secure.helpscout.net/conversation/306335923?folderId=557077

[titusjaka]

Hi,

We have a related issue here: http://help.octopusdeploy.com/discussions/problems/44040-octopus-provides-access-to-octopusactionwindowsservicecustomaccountpassword-via-api

If you are going to give this ability to users we would be very appreciated if this ability would be an option in settings and could be turned off. We are very keen on security and would like to restrict access to a sensitive data even for Octopus administrators.

Thank you for understanding.

[matt-richardson]

I wonder if taking a different tack to this problem might be worthwhile, and integrating with a product like Vault:

[michelejohlbs]

Hi Matt,

I would agree with vault, but Octopus already has encryption / decryption built in, so it would re-engineering an existing capability rather than just extending the API.

[michelejohlbs]

Hi @pawelpabich ,

Is there any feedback regarding this issue?

[darrenaitcheson]

Integration with Vault would be exceptionally useful for those of us within Enterprise situations. Our security people would not allow us to store secrets anywhere other than within the Enterprise-approved tool.

[MCKanpolat]

Hi,

Is there any plan about this? Vault integration would be very useful for most of companies.

[AntonSmolkov]

While this feature is in progress you cat carefully use this script to unsensitive your variables. https://github.com/AnSmol/HandyPoshScripts/blob/master/DevOps/OctoVarUnsensitifier.ps1

[ccamburn]

We just ran across an internal request to be able to store Octopus configurations in a company-wide tool. Right now, storing configurations works well for Octopus, but we would like to store values not used by Octopus in Vault, and it would be easier if we had a single place to store these values. We would then have the ability to query all configurations, even sensitive ones, and validate them.

This ticket would go a long way in that regard.

[fkollmann]

If all you have access to is the Octopus Deploy database or a project export, you can use the octopus-deploy-decryptor tool, I am the author of.