Run Newman (Postman CLI) in TeamCity with Secrets

Sometimes, as a test engineer, you need to run your tests in CI with secret tokens

Postman is a perfect tool to start API testing. And Newman is a way to run your Postman collections on the command line. With Newman you can easily run tests in your own CI tool: TeamCity, Jenkins and so forth.

Despite the fact that Postman and Newman allow to keep variables in different scopes, there is a security case, when you are not allowed to store data (passwords, tokens or any authentication credentials) in plain text.

If you put a token in Postman’s Globals or Environment variables and export variables into a file (for further use by Newman), your token’s value will be in plain text. Everyone with access to these files could see and exploit it.

To eliminate security-related risks you can keep secrets inside CI tools. For example, TeamCity allows to hide the actual value of a variable through Typed Parameters.

The idea looks simple:

  1. Keep secrets in TeamCity;
  2. Run TeamCity build;
  3. Get secrets from environment variable and generate globals.json for Newman as a build step;
  4. Run Newman as a build step.
Run Newman (Postman CLI) in TeamCity with Secrets
Run Newman (Postman CLI) in TeamCity with Secrets

Create Scripts

  1. Understand the structure of My_Workspace.postman_globals.json file:

Postman → Environments → Globals → [Export]

As noted above, you can see the token’s value in plain text
As noted above, you can see the token’s value in plain text
postman_globals.json file — as noted above, you can see the token’s value in plain text

This JSON you need to generate.

2. Write a script which generates the same JSON structure, pull the required environment variable and add it to the JSON, create a file.

3. Export Postman Collection (*.postman_collection.json file).

My test collection is based on one handler of OpenWeather API. It requires a token to respond 200 OK.

Test collection
Test collection
Test collection

4. Write a script which runs Newman as a library.

5. Test your scripts locally before running them in CI.

Local testing
Local testing
Local testing

To test local accessing the environment variable you need to add token to shell environment:

export TOKEN={your_secret_token}

Create Build

Creating a build configuration in TeamCity is a quite nontrivial process. I will show only the parts related to Newman run.

Add Token

In TeamCity build configuration → Parameters → [Add new parameter]

Add new parameter
Add new parameter
Add new parameter

Fill the fields:

Name = env.TOKEN
Kind = Environment variable (env.)
Value = {your_secret_token}
Spec → click [Show raw value] = password display=’hidden’ readOnly=’true’

After [Save] your variable’s value will be hidden.

Environment Variable (env.) and hidden value
Environment Variable (env.) and hidden value
Environment Variable (env.) and hidden value

Add Build Steps

On each step I run one script file by Node.js.

2. Generate globals for Newman & 3. Run Newman
Build Steps
Build Steps

When you [Run] build, everything should work.

Success
Success

For the reason that all private data is separate from the code, I can post the example on GitHub without fear of token leaks.

Quality assurance engineer