Jenkins Credentials Binding Plugin

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

This plugin allows credentials defined in the Jenkins server to be bound to environment variables or parameters to be used fro miscellaneous build steps. It uses a withCredentials step whose programming model is explained below. The advantage of using this pattern is that the credentials are maintained securely by the Jenkins instance and they are automatically masked in the logs.

Playground

https://github.com/ovidiuf/playground/tree/master/jenkins/pipelines/credentials-binding-plugin

withCredentials

The step can be configured with a map and gets a closure within which the credentials are projected:

withCredentials(<configuration-map>) {
  // closure
}

The configuration map accepts the following keys:

  • usernamePassword
  • sshUserPrivateKey
  • certificate
  • dockerCert
  • file
  • kubeconfigContent
  • kubeconfigFile
  • vaultString
  • zip
  • azureServicePrincipal
  • $class: 'AmazonWebServicesCredentialsBinding'

and more.


Injecting Username and Password into a Build Step

A typical pattern to project username and password into a build step:

withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  // available as an env variable, but will be masked if you try to print it out any which way
  // note: single quotes prevent Groovy interpolation; expansion is by Bourne Shell, which is what you want
  sh 'echo $PASSWORD'
  // also available as a Groovy variable
  echo USERNAME
  // or inside double quotes for string interpolation
  echo "username is $USERNAME"
}