Safely allow ApiKey to be passed in CI

Mar 31, 2011 at 8:44 AM

Now that nuget allows to set the api key in a file which is awesome, but I think it stll would be a problem for those using in CI.

Here is what I think would solve a problem.

Many linux tools like git first gets their config from local file, then the user profile and then the environment variable.

As for nuget i think we dont need the local file stuffs, the nuget.config is more then enough, but now it needs to support environment variables.

I believe all CI allows us to modify the environment variables. So I belive the best way to pass the api key is using the environment variable.

Here is my sample powershell profile that I use.

It sets the default editor using the environment variable.

$env:EDITOR = "vim"

So I think nuget needs something like this.

$env:NUGETAPIKEY = "...."

But again we can have some problems. What if I want to specify muliple nuget ap (I might want to push it to different nuget servers). Then this wouldnt work.

So we should have another feature to allow users to pass the environment variable.

nuget push ..... -env=env_var1

This solve the problem of saving arbitary number of api keys in the environment variables which can be used by NuGet safely.

But we need to be careful as CI like TeamCity exposes any additonal environment variables that is passed which would lead to exposure of the api key.

TeamCity has something called ConfigurationParamter (though i have not personally used it, the config parameters are not passed to build) But Build parameters can reference config parameters. So might be there is a way to pass the apikey without exposing.

Will need to first check all major CI (TeamCity,hudson,cruise control and so on) how they allow it before implementing this feature.

Mar 31, 2011 at 5:58 PM

Let us know what you find. Do some CI servers use any alternative means for handling sensitive data like this other than environment vars?

Apr 17, 2011 at 12:00 PM


Don't know if it helps, but I wrote a publish msbuild task that deals exactly with this.  The apikey is a parameter that you pass in to publish.

I only have one api key, so I haven't tested it for multiple keys, but you could import an itemgroup of keys and names that is imported on the CI server, and individual builds just have a property that is the name of the key?  We use teambuild, and it's also possible to specify such a property as part of each build


Apr 28, 2011 at 10:08 PM

But is the apikey hidden from the public when you pass it as a part of each build?

For example in teamcity if i pass the build parameter NIGHTLY=false normal users can see the parameters I passed.

Coz of this reason I can't pass the api as part each build. (Note sure how teambuild works)