FAKE - F# Make - A DSL for build tasks and more FAKE
Edit this page

Lookig for older versions of the documentation, pre FAKE v6? See 


Securing Build Tracing and Parameters using FAKE Vault Module

The Vault module in FAKE provide a way to secure sensitive information from the build logs. It works in a way similar to secret variables in VSTS.

To see the available Vault APIs in FAKE, please see the API-Reference for the Vault module.

Goals and non-goals

The FAKE-Vault works similar to secret variables in VSTS (in fact the Fake.Core.Vault module was added to better support VSTS).




API Usage

In order to get variables into FAKE you need to encrypt them via AES. When in doubt consult the source code of Vault.encryptVariable or look at the myVault.ts implementation of the vsts fake 5 task.

You need to create a json in the following format:

{ "keyFile": "<Path to file of the 32 byte key, encoded as base64 and saved in utf8>",
  "iv": "<base64 string of the 16 byte IV>",
  "values": [
      { "secret": true,
        "value": "<the raw value or the aes encrypted base64 string value when 'secret' is true>",
        "name": "<name>" }
  ] }

And save it in a environment variable FAKE_VAULT_VARIABLES for example.

Following is an example script that obtain values from the vault:

#r "paket:
nuget Fake.Core.Vault //"
open Fake.Core
let vault = Vault.fromFakeEnvironmentVariable()

let usage1 = vault |> Vault.get "my variable"
let usage2 = vault.Get "my other variable"
let tryUsage1 = vault |> Vault.tryGet "my variable"
let tryUsage2 = vault.TryGet "my other variable"

You can reference Fake.Core.Vault in your regular project and use Vault.encryptVariable to simplify the creation of the json.

Hide from Build output

By default the vault will not keep unencrypted variables in memory in order to 'protect' against memory dumps. Once you retrieve a secret variable we recommend to use build server features (like VSTS secret variables) to remove values from the output. If that is not an option you can use the protect secrets feature of the trace module. Keep in mind that this keeps the variables in memory and is therefore an explicit opt-in for the variables you use.