Deployments to change-controlled environments

Hi All,

Does anyone have any methods for deploying to change-control environments (eg, UAT, Production) with protection over passwords?

We have created build-and-deploy Ant scripts that can and do work for any of our environments, but, as you can imagine, DBAs do not want to issue production passwords (necessary for deployment) to developers, so we can only take this so far at present.

I have tried using "System properties", and have shown that passwords can be entered using these in Custom Run builds to override the Ant password properties. This works well, except the Build Parameters log clearly shows the System properties (ie, passwords) that were used in the run.

I am considering using this method, and simply preventing developer access to the Projects/Configurations that use this method for deployment, thereby preventing access to read passwords.

But is there a better way that anyone knows to do this? For example, by somehow getting the deployment script to read the password from a deployment-target server file?

Thanks everyone,
Darwin

1 comment

Darwin,

For now, if you store passwords inside TeamCity they will be visible to any user who has view permissions for the affected Build Configuration.
There is a related feature request to hide certain properties.

If the credentials are printed itn he build log, there is also a related feature request to restrict build log viewing.

Currently, you can probably try to create a secure version control repository, check-in file with credentials there and then restrict the build configuration with the corresponding VCS root attached so that untrusted users do not have "View VCS file content" permission in it.

If all the users on the server with TeamCity "Change agent run configuration policy" permission are trusted, then you can probbaly store the credentials in a file on a specific agent machine and allow the deployment build to run only on the machine (and no other builds).

If you come up with another solution or suggestion on related TeamCity feature - please let us know!

0

Please sign in to leave a comment.