Variable Set diff with sensitive values

tom.parrish's Avatar


01 Feb, 2018 10:28 AM

We are going to have to write some tooling to get the difference in variables between what is currently live, and what we are about to deploy. I am having a problem however with sensitive variables, as the API does not return anything for their value. I don't need to decrypt the senstive variables, however I do need to know if they have changed. Is there a way of obtaining the hashed value, or a modification date for a variable? I can get the hashed value by querying the database directly, however I'd like to avoid that if possible.

I am using the Octopus.Client nuget package against octopus v4.1.1

I understand there is a user voice story for this being built into the platform, and I have added votes to it

  1. Support Staff 1 Posted by Ben Pearce on 02 Feb, 2018 06:51 AM

    Ben Pearce's Avatar

    Hi Tom,

    Thanks for getting in touch.

    So that I can help you, can you explain which variables you are trying to compare and what you are trying to achieve.
    Are the live variables the ones in the web.config on the deployment target, or are they the variables from the last release?
    The sensitive variable values are not returned via the API at any stage time, the only thing the API will tell you is if the sensitive variable has a value or not.

    Since you are using Octopus.Client, I assume you are running this from outside Octopus, not as part of a deployment step. If you were trying to run something like this inside the context of a deployment step, you may have access to the variable values although this is not always the case, such as output variables which only exist after the step has completed, or account variables which only get evaluated with the step they are referenced in.

    If you can get back to me with some further details, I can try and help you find a solution.


  2. 2 Posted by tom.parrish on 02 Feb, 2018 09:08 AM

    tom.parrish's Avatar

    Hi Ben,
    I’m using the octopus client from a powershell cmdlet, written in c#. We want to compare all variables assigned to the project and library variable sets in the previous release to a given environment, to the release we are about to push to that environment. The main use case here is ensuring that critical data such as database connection strings, API keys, encryption keys etc have not been accidentally re-scoped so they won’t be deployed to the live environment, or just modified. We need deployers to be aware if they are about to change the API key or connection string, which they currently have no visibility on.

    From what I understand, if I wrote this as a deployment step, then I’d be able to access the variables for the release that was being executed, but there would still be no way of accessing the sensitive variables for the previous release. Is that correct?

    We do not need to consider output variables, and I’m not sure what account variables are, to be honest.


  3. Support Staff 3 Posted by Ben Pearce on 06 Feb, 2018 01:37 AM

    Ben Pearce's Avatar

    Hi Tom,

    You are correct, you cannot access the sensitive variables from a previous release via the API.
    You won't be able to query the passwords across releases directly in the database either as the passwords are encrypted each time and the resulting encrypted string is different each time. All other non-sensitive values are available via the API or database.

    Sorry I can't be of more assistance with this.


Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac