Read credentials for private feeds from environment variables


It would be nice if it was possible to store the credentials for private NuGet feeds in environment variables, instead of in the NuGet.config file. This would help when running NuGet package restore on a build server. Right now to do this you have two options:
  1. Store all NuGet config info on each buildagent in the AppData folder. This is annoying because we want to avoid state on build agents.
  2. Store a NuGet.config in the repository with a cleartext password. It can't be encrypted because the encryption is done at the user level so if I encrypt on my machine it will not work on the build server. Storing passwords in plain text in repositories is bad, so I definitely don't want to do that.
Most (all?) CI systems allow you to specify environment variables to pass to the build. The good ones also allow "secure" environment variables, so their values won't be logged anywhere. This is where I want to keep my credentials for private feeds, in the CI server configuration.

I have written the code for this myself, so a pull request is on the way. Maybe there are other better ways to do this, but a pull request with working code is at least a starting point to discuss this and figure out if it's useful.


maartenba wrote Feb 28, 2014 at 3:24 PM

Which build system are you using?

einaregilsson wrote Feb 28, 2014 at 5:18 PM

I'm using TeamCity. I ended up using their built-in NuGet runner, which supports configuring the credentials in the TeamCity UI. It wasn't what I wanted to do though, I would have preferred to just write a build script that I could run locally or on TeamCity and take the credentials from the environment in both cases.

maartenba wrote Feb 28, 2014 at 5:44 PM

Here's how I do it with TeamCity:
  • Add a NuGet.config in the root of my source control, with just an empty <configuration/> element
  • Build step 1: command line runner executing nuget sources add .... -Username $env.Nugetusername etc -ConfigFile path-to-nuget-config-created-above
  • Other build steps will use the nuget.config created earlier thanks to nuget's config inheritance
I find it simple and quite elegant this way.

maartenba wrote Mar 1, 2014 at 8:34 AM

Also starting TC8 there is a build feature to set credentials. Even easier :-)

einaregilsson wrote Mar 1, 2014 at 3:04 PM

It's certainly possible to do with TeamCity, using your method of creating an empty config file and updating it before doing other things, or using TeamCity's built in credentials feature. I still think just reading the credentials from the environment and using them, without having to update config files, would be cleaner and a nicer way to do this.

TeamCity's credentials feature only seems to work for me when I use their NuGet installer step, not if I just ran NuGet from my own script directly. Don't get me wrong, TeamCity is awesome, but reading credentials from environment variables would work in any CI system.

einaregilsson wrote Mar 1, 2014 at 3:06 PM

Oh, and I did submit a pull request for this right after I created the issue, I forgot to link it from here. It's PR 5893

danliu wrote Aug 8, 2014 at 9:48 PM