I can see credentials in Jenkins console output. How can we encrypt them? The "Mask Passwords plugin" is considered as not safe in my case.
Asked
Active
Viewed 3,453 times
2 Answers
5
Here's an example of using them in a pipeline safely. In this case, they are injected as environment variables and their value should never have to be shown unless you explicitly choose to print out the variable content for some reason or other.
Environment variables are generally seen as the best way to store secrets at this point and are heavily relied on by many modern deployments (e.g. often used in kubernetes apps).
https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#handling-credentials
Jenkinsfile (Declarative Pipeline)
pipeline {
agent {
// Define agent details here
}
environment {
AWS_ACCESS_KEY_ID = credentials('jenkins-aws-secret-key-id')
AWS_SECRET_ACCESS_KEY = credentials('jenkins-aws-secret-access-key')
}
stages {
stage('Example stage 1') {
steps {
//
}
}
stage('Example stage 2') {
steps {
//
}
}
}
}
You can also avoid Jenkins altogether by having your pipeline/etc retrieve them from some other tool like HashiCorp Vault, AWS SSM, Azure Vault, etc.
John Humphreys
- 1,570
- 7
- 18
0
John's answer works just fine. An alternative is to use the withCredentials block, which is built right into core Jenkins.
Example
pipeline {
agent any
stages {
...
stage('Publish') {
steps {
withCredentials([usernamePassword(credentialsId: 'sonar-publisher', usernameVariable: 'SONAR_USER', passwordVariable: 'SONAR_PASSWORD')]) {
// maybe do stuff with variables, echoing them prints *****
sh './gradlew sonar'
}
}
}
}
}
The only requirement in this scenario is that the credentials sonar-publisher exists on the Jenkins master and your job has access to them.
brianrobt
- 101
- 1