How to see full value of environment variables via circle CI APIs?

I tried list env vars api https://circleci.com/docs/api/#list-environment-variables to list env “names” and “values” of my env vars in circle ci project. But it’s hidden in API response eg: “xxxx1011” , how can I utilize such value in my code as it wouldn’t understand “xxxx” ? Is there a way to get the full value of environment variables via its APIs?
Any help appreciated.

Hi there, welcome to our community!

There is no way to do this, for security reasons the API is implemented in a way where you cannot read out environment variable values.

Could you share more about what you are trying to accomplish here?

Hi @levlaz thanks for the reply. There are few tokens that I want to utilize for making API calls but I don’t want to expose these tokens so I embed/store them as project specific environment variables . Now using Circle CI APIs I’m trying to fetch these vars and their respective values to use them in my code.

For eg: Using https://circleci.com/api/v1.1/project/github/:username/projectName/envvar/:name?circle-token={{token}} , displays response like
{
“name” : “TKN_ID”,
“value” : “xxxx5151”
}
But I’m unable to use this hidden value to make my api calls. How else can I achieve this? I was under the impression that using these apis https://circleci.com/docs/api/#environment-variables would serve the purpose.

Environment variables are exposed as a part of the build, you don’t need to use the api to get them. If you need to share secrets across builds then you should use “contexts”.

ok, I can embed my environment vars in Context then but I would also require to update one of the vars periodically and I see that update won’t be possible in this case . And from here you stated:Updating context environment variables during build? . Hence, my idea was to Get env vars for project specific and for the one which requires update ,I would delete envvar and then add envvar .

Also as per https://circleci.com/docs/api/#get-single-environment-variable should return the hidden value however this api response also shows “xxxx5151” for a single env to fetch. Is this something known?

“xxxx” is the “hidden value”, there is no way to read the secret via the API.

It should probably be renamed to “obfuscated” value in the docs, because “hidden” is a bit misleading.

1 Like

yea its quite contradictory to what docs says. But it still makes me wonder-what’s the purpose of having this API when they can’t retrieve the secrets.

I don’t disagree with you, the docs are a bit confusing.

Although, the purpose of this endpoint from what I know is.

  1. Check to see if an env var is set.
  2. Compare the ending to see if the env var is correct.

I would love to be able to see and add variables on my context via the app, please add this feature

This sounds like a massive security risk, and I doubt it would ever be implemented.

Here’s a hack:

  1. Re-build with SSH on any of your existing builds
  2. SSH into the circle container
  3. Run printenv

Hope this helps!

9 Likes

Thanks! it works

Another possible hack is to put printenv|base64 in your script. Then copy the base64 text elsewhere and run in through base64 -d

A bad idea, since then the output with all the secrets would exist in the build log for anyone to decode. Base64 encoding it has no practical benefit in this case - you might as well just run printenv without piping to base64 at that point.

You can still add / update it, and being able to see some of the value could potentially be used to determine if the existing value potentially matches a string or not.

I’ve personally used these features via the API in a few different ways:
a) Get a list of projects that have env vars set to see if they need to be rotated
b) Written tooling to rotate static credentials / tokens / etc. in contexts. So, generate a new secret or token, update the value in the existing context, revoke old secret.

You can add / modify / delete project env vars and context values via the API.