Injecting Secrets into Jenkins Build Jobs

The content of this article is moved to [Injecting secrets into builds]
(https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/injecting-secrets).

Have more questions?

30 Comments

  • 0
    Avatar
    Michael Klöckner
    It worked like a charm for me even on an OSS Jenkins installation. I just had to install another plugin to make it work: CloudBees Credetnials Plugin.
  • 0
    Avatar
    Alan Villa

    Is it possible to inject credentials when invoking Ant in Jenkins?

  • 0
    Avatar
    Peter Carr

    re: Ant,

    It possible to load a properties file from an ant script; in theory you could load a secret file.

    Note: I am not using this yet from Jenkins ... because I am browsing this thread to learn how!

  • 0
    Avatar
    Paul Grove

    As this article states this is "current best-practices" maybe then some effort should be made to kill the bugs of the credential bind plugin that makes the best practice insecure. See https://issues.jenkins-ci.org/browse/JENKINS-24805 open for 2 years. Due to this the plugin is disabled in our company, leading to yet more hack workarounds that sap our time. Please fix!

  • 0
    Avatar
    Jj Cm

    Totally agree with Paul.

    The issue  https://issues.jenkins-ci.org/browse/JENKINS-24805 seems to be solved, and credentials are now masked on the console output of a job log. However, a simple "echo $MY_SECRET > secret.txt" shows the secret into a text file on the workspace.

    Please fix !

     

  • 1
    Avatar
    Jesse Glick

    Jj Cm: as designed. Masking only exists to reduce the chance of accidental disclosure.

  • 0
    Avatar
    Cola Vn

    Hi!

    I've been trying to use the same thing for my username and password but when I echo, I get **** as the output.

    I've followed all of the instructions above and I've created the credentials as global in the credential management page. Is there any mistake im making?

    Much thanks! :D

     

  • 1
    Avatar
    Arnaud Héritier

    Hi Cola,

      Like said Jesse this is as designed. We are masking them in the console to reduce the chance of accidental disclosure.

    Best regards

     

  • 3
    Avatar
    Cola Vn

    Hi Arnaud,

     

    Thanks for the response. However, where can we use these variables then? They're set as env variables but I'm not able to access them. When I say access, forget echo, but if I need to send them along with a curl call, how do I use them? My requirement is to send them via a curl call, the echo was just for testing.

     

    Rgds

  • 0
    Avatar
    Manuel Hutter

    Hi Jesse & Arnaud,

    I have the same problem as Cola. How do I use my secret text in a CURL request?

    Currently all I get is the ID of the secret, but not the secret itself...

  • -1
    Avatar
    Jesse Glick

    @Manuel I am not sure how that could happen. If you are a CloudBees customer, please file a support request.

  • 0
    Avatar
    Mark Weisser

    Is there a specific example of using a secret file that needs to be read by a build agent from within a pipeline job? I cannot seem to get that to work.

  • 0
    Avatar
    Jesse Glick

    @Mark yes there is a Secret file example above.

  • 0
    Avatar
    Mark Weisser

    @Jesse Is the "Secret File" example above the same for both a FreeStyle job as well as a Pipeline job?

  • 0
    Avatar
    Jesse Glick

    For a Pipeline job, you would need to use the withCredentials step; see the Pipeline Syntax link for details.

  • 0
    Avatar
    Mark Weisser

    @Jesse That ("withCredentials") did the trick. The only glitch is that I need to define the secret file on each master rather than just once in the CJOC that is upstream of the masters. That might be a CJOC bug and so I'll ping support.

    Thanks for your help.

  • 0
    Avatar
    Jesse Glick

    @Mark yes a support ticket would be appropriate. This sounds like a known bug CJP-7068, for which a fix may be coming soon.

  • 0
    Avatar
    Chaitanya Veluvolu

    @Jesse I am trying to access the secret text(which is an auth token) in httprequest as authorization header. I am using withCredentials. However, I am unable to use the variable defined in withCredentials.Any suggestions? 

  • 0
    Avatar
    Denys Digtiar

    Hi Chaitanya,

    If you are a CloudBees customer feel free to raise a ticket. If not you can use the Community to try and get you question answered, but please provide more details as to what is going wrong. 

  • 0
    Avatar
    Darshit Kothari

    Secret Text drop down value unavailable under the Kind option while adding Global Credentials in Jenkins v 1.570. Any clue on how to enable that??

    Thanks in advance

  • 0
    Avatar
    Denys Digtiar

    Hi, Dashit,

    Secret Text is provided by the Plain Credentials plugin. You need to check if it is installed.

    Also, we highly recommend you upgrade your Jenkins. 1.570 is a three-year-old weekly release. 

  • 0
    Avatar
    Brian Auron

    Hello,

     

    I have the same problem as Cola Vn, whose question was never answered. I'd like to use the actual values for the username/password instead of "****" but there is no information that I can find on how to do this.

     

    Thanks!

  • 0
    Avatar
    Shukri Adams

    Same problem as Cola Vn. If I do the following my authentication fails, and I have no way of knowing what value is being passed to the script because of the masking. 

     

    stage('Deploy') {
        steps {
              withCredentials([usernamePassword(credentialsId: 'myUploader', usernameVariable:                      'USERNAME', passwordVariable: 'PASSWORD')]) {
                     sh 'sshpass -p $PASSWORD scp -r $USERNAME@example.com:/path/to file.txt'
               }
        }

    If I try to pass password or username to a test variable and deliberately console them out, all I get are masked characters :

    test="--${USERNAME}--${PASSWORD}"  && echo $test

    I get 

    --****--****--

     

    Masking variables is all good and well, but how are we supposed to pass these variables to scripts if they contain literally masked characters?

  • 0
    Avatar
    Shukri Adams

    Protip : you can't echo out your username/password variables because they're always obscured, but you can cat them out. This helped me trace where my script chain was losing their values.

     

    cat <<EOF > test.txt
    $USERNAME
    $PASSWORD
    EOF
  • 0
    Avatar
    Jesse Glick

    Tip: if you are debugging a problem in your script and you are sure no one else can see this build log and you will plan to delete the build record as soon as you are done, it is possible to transform the output in such a way that it is still human-readable but does not literally contain the secrets. For example:

    sh 'echo sshpass -p $PASSWORD scp -r $USERNAME@example.com:/path/to file.txt | od -a'
  • 0
    Avatar
    Chris Funderburg

    Is there a way to prevent passwords from being displayed using the methods that Shukuri Adams and Jesse Glick listed?

  • 0
    Avatar
  • 0
    Avatar
    Hari S

    i wanted to login to remote machine without entering username and password as i wanted to supply creds from jenkins..

     

    is it possible?

  • 0
    Avatar
    Denys Digtiar

    Hari: in the context of this article, as long as the command that you intend to run has a way to supply credentials non-interactively you should be able to inject the secrets as explained here.

     

  • 0
    Avatar
    Jesse Glick
Please sign in to leave a comment.