Goals and non-goals
The FAKE-Vault works similar to secret variables in VSTS (in fact they were added to better support VSTS).
- Prevent accidental leakage
- Hide from environment variable listing
- Hide from process snapshots
- Forward secret variables from your build server into FAKE without implicit access for all sub-processes started by FAKE
- Complete fool-proof implementation
- Hiding variables from build script writers
- Hiding variables from the build output (see below)
- Manage secrets in your repository instead of your build server (ie. committing the json) > Please look at related tools like git-secret instead
In order to get variables into FAKE you need to encrypt them via AES. When in doubt consult the source code of
Vault.encryptVariable or look at the
myVault.ts implementation of the vsts fake 5 task.
You need to create a json in the following format:
1: 2: 3: 4: 5: 6: 7:
And save it in a environment variable
FAKE_VAULT_VARIABLES for example.
1: 2: 3: 4: 5: 6: 7: 8: 9:
You can reference
Fake.Core.Vault in your regular project and use
Vault.encryptVariable to simplify the creation of the json.
Hide from Build output
By default the vault will not keep unencrypted variables in memory in order to 'protect' against memory dumps. Once you retrieve a secret variable we recommend to use build server features (like VSTS secret variables) to remove values from the output. If that is not an option you can use the protect secrets feature of the trace module. Keep in mind that this keeps the variables in memory and is therefore an explicit opt-in for the variables you use.