Jenkins Pipeline Plugin - how to inject global passwords?

[Ant Weiss]

For regular jobs if I don't want to make passwords publicly visible I use EnvInject plugin with either global or job passwords.

This masks the passwords in log output and make them available as env variables.

What is the right way to do this when wrting pipeline DSL scripts?

Thanks a lot!!!

[Daniel Beck]

> On 24.04.2016, at 14:24, Ant Weiss <ant....@gmail.com> wrote:
>
> What is the right way to do this when wrting pipeline DSL scripts?
>

Credentials and Credentials Binding Plugin:

https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Binding+Plugin

[Harry G.]

Please note: Credentials Binding works, but currently it is not possible to mask passwords in the log with this solution.
https://issues.jenkins-ci.org/browse/JENKINS-24805
A PR from Cloudbees is in work, but not finished
https://groups.google.com/forum/#!msg/jenkinsci-users/GgX3RSckVlI/LU8IqzqoMwAJ

Until this is done, the only way to mask passwords in the log is EnvInject or MaskPassword Plugin (with their respective backdraws).
You could possibly externalize parts of your pipeline to a freestyle job and use them.

Official doc suggests to turn off log (set +x), if you can do this reliably for all relevant jobs:
https://cloudbees.zendesk.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs
If you have several people working on build jobs/scripts I would discourage from doing this.

[Ant Weiss]

Hi all,

thanks for your inputs.

In fact I implemented this with Credentials Binding plugin and it worked great - masking the passwords as it should.

[Brian Ray]

I recently started experimenting with Credentials Binding with a Pipeline script passing a user-password credential down to a sh/bat step inside a node block, with the secret values masked perfectly in the log. (The step just executed some Groovy that println System.getenv()'d the protected env variable.) In fact the masking worked so well I had to add some equality tests against the value to ensure that the secret value was indeed the right value.

Maybe my use case was different than JENKINS-24805.

[Harry G.]

Wow, this is strange!
To be honest, my test case was a freestyle job and I assumed there should be no difference.
I tried again and it really works in pipeline, but not in freestyle job - with exact same credential binding and same shell script!

So I think this can help to fix JENKINS-24805
So thanks a lot for bringing this up and sorry for the confusion!

[Brian Ray]

Glad to help. Very good to know the differing behavior between freestyle and pipeline jobs.

[Brian Ray]

Found a wrinkle to masking secrets in the log, in one of my edge cases Pipeline.

I'm trying to determine whether this edge case warrants a JIRA.

[kumar naresh]

Hi,

please help to get the global passwords list from jenkins using the groovy scripting.

Regards,

kumar.