Multibranch Pipeline Jenkinsfile job script not seeing Credentials
333 views
Skip to first unread message
Francis Lalonde
Jul 27, 2016, 5:34:51 PM7/27/16
to Jenkins Users
Hi -
I am writing a Jenkinsfile script to automate the creation of pipelines using the multibranch plugin. The Jenkinsfile appears at the root of a github repo. Branch Indexing is working fine and the first stages (Maven commands) go trough without a hitch.
But then I am trying to deploy using ansible, for which I need ssh. I have defined a global-scoped "secret-file" credentials, which regular jobs can see and use. But my script-generated jobs do not get access to the credentials.
In the following sample code, the echo command never runs :
Moreover, using the "withCredentials" Pipeline Syntax Snippet Generator at the branch job level, the combobox does not list any available credentials. But doing the same thing a level above (in the multibranch job), the combobox shows all global-scoped credentials, including the "secret-file" which I am looking to use in my script.
I don't know if this is an intentional limitation, either by design or for security, that can be configured or worked around or if it is a plain bug that I should file an issue for. I tried both freshly installed Windows Jenkins 2.15 and an older 1.651.3 Linux Jenkins with updated plugins and got the same behvaior.
If anybody has a clue, this would make my week!
Francis
I am writing a Jenkinsfile script to automate the creation of pipelines using the multibranch plugin. The Jenkinsfile appears at the root of a github repo. Branch Indexing is working fine and the first stages (Maven commands) go trough without a hitch.
But then I am trying to deploy using ansible, for which I need ssh. I have defined a global-scoped "secret-file" credentials, which regular jobs can see and use. But my script-generated jobs do not get access to the credentials.
In the following sample code, the echo command never runs :
node() {
withCredentials([[$class: 'FileBinding', credentialsId: 'secret-file', variable: 'SECRET_FILE']]) {
echo "${SECRET_FILE}"
}
}
withCredentials([[$class: 'FileBinding', credentialsId: 'secret-file', variable: 'SECRET_FILE']]) {
echo "${SECRET_FILE}"
}
}
Moreover, using the "withCredentials" Pipeline Syntax Snippet Generator at the branch job level, the combobox does not list any available credentials. But doing the same thing a level above (in the multibranch job), the combobox shows all global-scoped credentials, including the "secret-file" which I am looking to use in my script.
I don't know if this is an intentional limitation, either by design or for security, that can be configured or worked around or if it is a plain bug that I should file an issue for. I tried both freshly installed Windows Jenkins 2.15 and an older 1.651.3 Linux Jenkins with updated plugins and got the same behvaior.
If anybody has a clue, this would make my week!
Francis
Michael Neale
Jul 27, 2016, 7:08:51 PM7/27/16
to Jenkins Users
Should the credentialsId be the horrible ugly ID in advanced in credentials?
is there no error, but it just doesn't run?
Francis Lalonde
Jul 27, 2016, 11:06:08 PM7/27/16
to Jenkins Users
It just doesn't run.
I've seen this behavior with the maven settings file, if you specify something that could not be found, the code within the block is just skipped.
I've made sure to use the ugly ID in my script, but I didn't put it in my example for clarity.
That no credentials appear in the generator combobox looks like it's more than just a bad ID. I'm not entirely clear how credentials propagate to child jobs / folders, maybe I need to do something at the multibranch pipeline level to propagate credentials to generated child jobs?
I've seen this behavior with the maven settings file, if you specify something that could not be found, the code within the block is just skipped.
I've made sure to use the ugly ID in my script, but I didn't put it in my example for clarity.
That no credentials appear in the generator combobox looks like it's more than just a bad ID. I'm not entirely clear how credentials propagate to child jobs / folders, maybe I need to do something at the multibranch pipeline level to propagate credentials to generated child jobs?
Stephen Connolly
Jul 28, 2016, 4:42:38 AM7/28/16
to jenkins...@googlegroups.com
Ooooh... I wonder if this is an unintended side-effect of Jesse's hack. You might be able to work around it if you enable the hidden by default credentials permissions as likely the findCredentialsById method is just not seeing the permissions it requires
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/66c1edb5-6358-43d6-b36a-05f62aab77d2%40googlegroups.com.
Francis Lalonde
Jul 28, 2016, 10:01:58 AM7/28/16
to Jenkins Users
Looking at the code, it is not clear to me what the workaround would be - Although somewhat experienced as a user, I am not knowledgeable about Jenkins internals. Would this be global configuration or a system property?
Also,because this is a managed, shared Jenkins installation for which I am not the admin, I do not have access to most settings and would not request a change that would lessen security globally. And using a self-built modified Jenkins branch is also out of the question... :)
Also,because this is a managed, shared Jenkins installation for which I am not the admin, I do not have access to most settings and would not request a change that would lessen security globally. And using a self-built modified Jenkins branch is also out of the question... :)
Sophie Field
Dec 7, 2016, 9:48:00 AM12/7/16
to Jenkins Users
Did you find a workaround this? Currently experiencing the same problem.
Francis Lalonde
Dec 7, 2016, 11:03:03 AM12/7/16
to jenkins...@googlegroups.com
I ended up with the dirty solution of copying the Ansible SSH
creds file along side the scripts in the source repo, and invoke
Ansible using a Jenkins shell plugin, manually selecting the
correct Ansible version and laying out the full ansible-playbook
invocation by hand as the last command of the shell script.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/kNK8Yxw1NB8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/762d1020-428f-421a-8dc0-aecb6aa66c92%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages