How to create jenkins credentials via the REST API?

Question

I need to create a jenkins credential ( https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Plugin ) via a script. How can I do that using either the REST API or the cli ?

Note that I'm able to list the credentials using /credential-store/domain//api/json and /credential-store/domain//credential/8bd82461-e239-4db1-90bc-831ca3412e70/api/json etc.

Answer 1

📌 Here is the official documentation for managing the Jenkins Credentials via REST API

https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc#creating-a-credentials

Example of adding a deploy-key credential using the username wecoyote and the password secret123 in the testing domain of the /example-folder folder.

$ cat > credential.xml <<EOF
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
  <scope>GLOBAL</scope>
  <id>deploy-key</id>
  <description>Test User</description>
  <usernameSecret>false</usernameSecret>
  <username>wecoyote</username>
  <password>secret123</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
EOF

$ curl -X POST -u <username>:<password_or_token> -H content-type:application/xml -d @credential.xml \
https://jenkins.example.com/job/example-folder/credentials/store/folder/\
domain/testing/createCredentials

The expected responses are:

HTTP/200 Success, the credentials has been created.

HTTP/409 Failure, a credential with that id already exists.

HTTP/50x Could not parse the supplied domain XML body.

Answer 2

This issue took me a while to figure, a lot of digging around, so I decided to let the solution here, if someone else needs it.

curl -X POST 'http://user:token@jenkins_server:8080/credentials/store/system/domain/_/createCredentials' \
--data-urlencode 'json={
  "": "0",
  "credentials": {
    "scope": "GLOBAL",
    "id": "identification",
    "username": "manu",
    "password": "bar",
    "description": "linda",
    "$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
  }
}'

Answer 3

Unable to point to ssh keys in ~/.ssh on Jenkins host

Means this no longer works,

"privateKeySource": {
  "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$FileOnMasterPrivateKeySource",
  "privateKeyFile": "'{{jenkins_home}}/{{ii.key_name}}.pem'",
},

Answer 4

Just adding my 2 cents here: if you want to create the credentials for a specific folder, then use the following:

curl -H $CRUMB -X POST 'http://user:token@jenkins_server:8080/job/MY_FOLDER_NAME/credentials/store/folder/domain/_/createCredentials' \
...

So, you need to use /job/My_Folder at the beginning of the query part and replace the /store/system with /store/folder

Answer 5

if you need to create credentials but with pem file path you can use this:

prerequisites: ssh-credentials plugin

CRUMB=$(curl -s 'http://{{jenkins_admin_username}}:{{jenkins_admin_password}}@localhost:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl -H $CRUMB -X POST 'http://{{jenkins_admin_username}}:{{jenkins_admin_password}}@localhost:8080/credentials/store/system/domain/_/createCredentials' \
--data-urlencode 'json={
  "": "0",
  "credentials": {
    "scope": "GLOBAL",
    "id": "'{{ii.ssh_user}}'",
    "username": "'{{ii.ssh_user}}'",
    "password": "",
    "privateKeySource": {
      "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$FileOnMasterPrivateKeySource",
      "privateKeyFile": "'{{jenkins_home}}/{{ii.key_name}}.pem'",
    },
    "description": "'{{ii.ssh_user}}'",
    "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
  }
}'

this command used in ansible but you can replace the {{variables}} with your own variables

if you need to add all the pem file content you need to change the lines to:

....      
"stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource",
      "privateKey": "{{private_key_content}}",
    },
    "description": "{{user}}",
    "stapler-class": "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey"
...

Answer 6

with latest jenkins you need a CRUMB to authenticate for this operation (ref https://stackoverflow.com/a/38314286)

CRUMB=$(curl -s 'http://user:token@jenkins_server:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl -H $CRUMB -X POST 'http://user:token@jenkins_server:8080/credentials/store/system/domain/_/createCredentials' \
--data-urlencode 'json={
  "": "0",
  "credentials": {
    "scope": "GLOBAL",
    "id": "identification",
    "username": "manu",
    "password": "bar",
    "description": "linda",
    "$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
  }
}'

Otherwise you get

<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /credentials/store/system/domain/_/createCredentials. Reason:
<pre>    No valid crumb was included in the request</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

Answer 7

I have a groovy script that also sets user permission using Matrix-based security. The script was posted at Creating user in Jenkins via API

Answer 8

There is no specific API call for this, but you can do it via cli commands to the jenkins jar.

echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("username", "password")' | java -jar jenkins-cli.jar -s http://localhost/ groovy =

For granting them permissions you can create a task in Jenkins which is running every N minutes and executing a groovy script as described here:

https://wiki.jenkins-ci.org/display/JENKINS/Grant+Cancel+Permission+for+user+and+group+that+have+Build+permission