How to secure TeamCity deployment via Web Deploy service?

My team uses TeamCity to build, test and deploy web applications via Web Deploy to dev and qa web servers. The tricky part is deploying to a production  web server - our policy dictates that developers cannot deploy to  production, only a system administrator can.

Our current approach is to have TeamCity build a web deployment  package, which the administrator can download and install on the  production web server. However, we'd like to allow them to simply click  "Run" on a build configuration, but we're not sure how to secure that  button.

We could create a TeamCity project that only administrators have  access to, but we also have to address Web Deploy security. The Web  Deploy service needs to be authenticated with a local admin account on  the production server. We don't want developers having access to the  username/password in a build script, nor do we want every build agent  running as this account since developers could create a build that uses  it to deploy to production.

I've haven't had much luck finding resources on TeamCity  security/deployment best practices, but I can't imagine we're the only  company in this situation. How do others manage automated deployment  security?

(I've also posted this question on stackoverflow)

Comment actions Permalink


You can add a dedicated build agent that runs deployment builds and nothing else.
The restriction is set from two ways:

  1. on build agent's page set a policy to Run selected configurations only - it prevents execution of other configuration on this agent.
  2. In build configuration add a new agent requirement equals <name> - it prevents execution of your deployment script on other build agents.
Comment actions Permalink

We ended up doing that in combination with project specific groups and roles. Thanks!


Please sign in to leave a comment.