Posts Tagged jenkins

Add credentials to Jenkins

Click ‚Credentials‘, then follow .. no?

Then you’re right here. How to set up Jenkins from scratch an add some Credentials to it’s store automatically, or, at  least, in an automatic manner.

There are some great ways to build up jobs like the Jenkins Job-DSL and some, not that great, but still cool features like the Jenkins CLI. With that command line interface you are capable to script a lot of maintenance task on Jenkins (like: shutdown, credentials mgmt, job and plugin mgmt – look into it). Unfortunately some details of that calls are not well documented, so let’s provide some small examples to it.

Fetch Credentials (w/o password)

java -jar jenkins-cli.jar -s http://localhost:8080/ \
get-credentials-as-xml \
system::system::jenkins _ some_credential_id

This is quite cryptic for my old eyes. You have to provide „STORE DOMAIN CREDENTIAL“ as parameters, but how to get it’s system::system::jenkins for „STORE“?  I don’t know. It’s in the tests of the source code as mentioned on the net, of course it is.

Create Credentials

Don’t wait too long, here it is:

echo '<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>                                      
 | java -jar jenkins-cli.jar -s http://localhost:8080/ \
   create-credentials-by-xml system::system::jenkins _

Gorgeous, isn’t it? Of course you may try to replace _  with a „DOMAIN“ you like, but remember: Don’t touch a running system.

Is there a better way?

Probably, but that depends. On you, of course. Maybe it’s better to get your passwords from some sort of vault, if you have. Some application, even some plugin could provide such data to your job and then, you don’t even  have to set up passwords in jenkins. No maintenance, just some time to get the passwords while you’re build’s running is needed though.

How does Jenkins store it’s passwords?

Look into DefaultConfidentialStore. Then you learn, it stores a master password  on: $JENKINS_HOME/secrets/master.key. This master key encodes all your passwords to a cipher string which itself will get stored on: $JENKINS_HOME/credentials.xml. That last one was easy of course.

It’s quite easy as well to decode that cipher texts from credentials.xml. Just land on the jenkins script page (http://localhost:8080/script ) and put in:

import hudson.util.Secret
def secret = Secret.fromString("..your_cipher_text..TsnOBWqAo4=")

Maybe hudson gets replaced by jenkins, but at the end of 2016 it’s not the case on that package name.


Schreibe einen Kommentar