[JIRA] (JENKINS-60440) Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite updated an issue

Jenkins / JENKINS-60440 Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username Change By: Mark Waite Summary: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[gordonli@hotmail.com (JIRA)]

Gordon Li commented on JENKINS-60440

Re: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username Bitbucket.org no longer allows logging in with a username - they only allow email address or Google/Microsoft logins. I don't think @ character is the problem because the Git plugin works fine if my Bitbucket credentials are stored in Jenkins as "Username with password". Also note that it's only the agent server that fails to use a Vault username/password to checkout a Git repository. The master server is correctly setting the Git credentials and checking out the retrieve the pipeline's jenkinsfile.

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite edited a comment on JENKINS-60440

Re: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

Submitter notes that an \@ sign embedded in the username will cause authentication failures in the git client plugin. Also an issue for the google code repositories since their user names include an \@ sign as well. I was not aware of Bitbucket Cloud supporting a username which includes an \@ character.  My Bitbucket Cloud account username (used to perform the clone) does not contain an embedded \@ character. I assume the use of an embedded \@ character in the username is used on Bitbucket Server and Bitbucket Data Center.  I use markewaite as my [Bitbucket Cloud username|https://bitbucket.org/%7Bfeeb1516-e0f7-4759-89a0-1d3fe983b1f8%7D/].  Bitbucket Cloud knows my google e-mail address and has connected my google e-mail address to my Bitbucket Cloud account. Can you define a username in Bitbucket server that does not include the \@ character in the username? Are you able to define an app password in Bitbucket Cloud, store that app password in Hashicorp Vault, and use that app password as part of a Vault username / password credential?

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite commented on JENKINS-60440

Re: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

I agree that they don't allow login with a simple username that is not an e-mail address. As far as I can tell, they do seem to allow clone with a simple username even when I performed the login with my e-mail address. My question was attempting to find an alternative that will allow you to operate in your environment without requiring a change from the git client plugin. I don't think that there are major differences between the use of the username / password credential on the master and the use of the username / password credential on the agent. However, there must be enough of a difference to be creating the issue you're seeing. If the failing pipeline checkout operation inside the Jenkinsfile is intentionally executed on the master, does it fail in the same way, or does it succeed?

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite edited a comment on JENKINS-60440

[gordonli@hotmail.com (JIRA)]

Gordon Li commented on JENKINS-60440

Re: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

The pipeline from SCM job checks out the repo on the master first in order to get the jenkinsfile, then the agent checks out the repo again in order to execute the jenkinsfile. The master is always about to check out while the slave is unable to check out using Vault username/password. On further investigation, I suspect that on the agent, GIT_ASKPASS doesn't get configured correctly when using Vault. If I use a pipeline script defined in the job rather than from SCM, I can set my Git credentials to environment variables GITUSER and GITPASS and execute the following steps to manually configure GIT_ASKPASS before checking out a repository. sh "git config credential.helper '!f() { sleep 1; echo \"username=${GITUSER}\"; echo \"password=${GITPASS}\"; }; f'" git url: 'https://bitbucket.org/<username>/<repository>.git' This runs successfully on a Linux agent. I haven't figured out how to replicate the git config credential.helper function on Windows so my Windows workaround instead is git url: "https://${env.GITUSER}:${env.GITPASS}@bitbucket.org/<username>/<repository>.git"

Add Comment

[josip.gracin@ingemark.com (JIRA)]

Josip Gracin commented on JENKINS-60440

Re: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

Hi! Just confirming that I have the same issue with GitHub.

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)