Working with sensitive data is a hard thing nowadays. Especially in a DevOps methodology. New tools and ways of solving problems don’t make it easier. Well, for some reasons, DevSecOps came to life. Almost all systems need some type of credentials – password, API tokens, keys, certificates and so on. In Infrastructure as a Code, Configuration as a Code and other approaches like these mentioned, working with git repositories is necessary. But it’s a very bad practice to store credentials in a plain text. I hope that I don’t need to explain why. Luckily, most of the mature tools have mechanisms which help us to play with that problem. Jenkins, for example, has its own Credential Plugin, so we can store credentials encrypted inside Jenkins instance, and we don’t need to push them to the git repository. But how to pass credentials to Jenkins pipeline? In a very simple way!
What’s the problem?
As I wrote in another blog post, we can store credentials in Jenkins in a secure way. Also, we can use them in a freestyle job. But one of the most important functions in Jenkins is a pipeline. It’s the quintessence of the CI/CD process, that allows building our own process consisting of some stages and steps. So I think it’s not a surprise, that it’s very important to be able to pass credentials to Jenkins pipeline – sometimes we need to access some external resources like Nexus Repository or SonarQbube Server. Putting your sensitive data into the secure Credentials domain is the first thing – then you must somehow pass them to your pipeline in Jenkinsfile.
So how to pass credentials to Jenkins pipeline?
In a very simple way. Just by using withCredentials() method. 🙂 It works in both declarative and scripted pipelines. As I’d prefer declarative than scripted, all examples are based on declarative, but scripted is less restricted, so it should be much easier to implement this method to your pipelines.
So, let take a look at the example below:
|
1 2 3 4 5 |
steps { withCredentials([string(credentialsId: 'credUserName', variable: 'NUSER'),string(credentialsId: 'credPassName', variable: 'NPASS')]) { sh './gradlew test -PNEXUS_USERNAME=${NUSER} -PNEXUS_PASSWORD=${NPASS}' } } |
There you have a hypothetic test which is initiated by gradle and that gradle requires access to the Nexus Repository for some reason. Of course, access to the Nexus repository is restricted, and username and password are required. Username is not a very sensitive data, but let’s assume that it’s good to store it as a credential – it will help with show how you can pass multiple credentials.
Probably you’re now wondering what are those credUserName and credPassName, right? It’s a very simple question – they are credentials you previously created in the Jenkins. you can see how you can create a credential in my other post.
Of course, the example below is useful when you need a string credential, like password, username, some kind of token and so on. But it’s not the only option you can choose.
I want a certificate! Or another file!
You can take a look at the Jenkins documentation and find out, that there are many options supported by Jenkins and Credential Binding plugin. There are some of them:
file
From the documentation:
Copies the file given in the credentials to a temporary location, then sets the variable to that location. (The file is deleted when the build completes.)
Example:
|
1 2 3 4 5 |
steps { withCredentials([file(credentialsId: 'secretFile', variable: SFILE)]) { sh 'ansible-playbook -i hosts playbook.yml --vault-password-file ${SFILE}' } } |
usernamePassword
From the documentation:
Sets one variable to the username and one variable to the password given in the credentials.
Example:
|
1 2 3 4 5 |
steps { withCredentials([usernamePassword(credentialsId: 'credUserName', usernameVariable: 'NUSER', passwordVariable: 'NPASS')]) { sh './gradlew test -PNEXUS_USERNAME=${NUSER} -PNEXUS_PASSWORD=${NPASS}' } } |
sshUserPrivateKey
From the documentation:
Copies the SSH key file given in the credentials to a temporary location, then sets a variable to that location. (The file is deleted when the build completes.) Also optionally sets variables for the SSH key’s username and passphrase.
Example:
|
1 2 3 4 5 |
steps { withCredentials([sshUserPrivateKey(credentialsId: mySshKey, keyFileVariable: KEY')]) { sh "ssh -i ${KEY} 10.10.10.10 -C \'docker run -n my-nginx -p 8080:80 nginx\'" } } |
More examples you can find in the plugin documentation.