Can't set secure environment variables via api

mharen's Avatar

mharen

19 Aug, 2019 03:41 PM

Hello, I'm trying to set a project's environment variables via API and I'm having some issues. I'm using this endpoint:

PUT https://ci.appveyor.com/api/projects/{my-org}/{my-project-slug}/settings/environment-variables

It works for vars that have isEncrypted: false, but when isEncrypted: true, the value is not set correctly or at all.

Here's a test case:
- go into the AppVeyor UI and set a secure variable - use the API to GET that variable and confirm you can read its value - use the API to PUT the value back - try to GET it again and confirm that you only get "" back

  1. Support Staff 1 Posted by Owen McDonnell on 19 Aug, 2019 09:34 PM

    Owen McDonnell's Avatar

    The api expects that, if you update a project with an encrypted variable, that you are sending the encrypted variable, not the unencrypted variable that is returned when querying for settings.

    Go to the Encrypt YAML tab of your account and encrypt a test variable, then use that in whatever script you are using to call the api, then make a second call to retrieve settings, and you should see the enencrypted variable (with isEncrypted value set to true, in the return JSON.

    You can also encrypt by sending it to https://ci.appveyor.com/api/account/<your_account_name>/encrypt with a POST body like { "plainValue": "value_to_encrypt" }

  2. 2 Posted by mharen on 20 Aug, 2019 12:35 PM

    mharen's Avatar

    Thanks Owen! That all works for me as you described, thank you!

    Some feedback for your team: this is somewhat inconvenient. What I'm trying to do is set a few common variables across many build configs. To do that is tough:

    First get a list of all projects (easy), and then for each:
    1. Get their vars
    2. Merge my vars into the vars I got
    3. Call the encrypt endpoint for each var that is encrypted, including whatever vars I retrieved in step 2
    4. Post the vars back to you

    If the vars endpoint accepted plainValue for encrypted vars, that'd help.

    What I really want is a PATCH request (or something) so that I could include only the vars I'm adding/changing, and then the server would merge that into what might already be there. If you did both of these things then my process above would be a lot simpler, and probably safer since you'll do the tricky bits instead of me :).

    Two other comments for your consideration:
    1. Now that I understand how it works, the REST API docs are obvious. But I think they could be improved with an explanation of how to send encrypted vars, like you provided me in this thread
    2. It would be cool if we could set account-wide vars that would get added to all builds

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac