Accessing credentials in Jenkins with the Credentials Parameter plugin

Question

My Jenkins box needs to access Stash and Jira through their REST apis. For that I need to store their credentials.

The way I am doing is via the Credentials Parameter, which asks me for a Name, Credential type, Required, Default Value, and a Description.

I define a Name as CREDENTIAL_PARAMETER, in the type I set it as "Username with password", and then I pick one credential from the list in the Default Value.

Next in the Build section I define that a shell should be executed, which is something like

echo $CREDENTIAL_PARAMETER

I was expecting to get something like "username:password" as the CREDENTIAL_PARAMETER. However, I get a hash that I think is how the username and password can be retrieved.

How can I get the credentials based on the hash using bash?

Answer 1

Question mark button (?) near "Credentials Parameter" in job-configuration reveals following clue:

> For security reasons, the credential is NOT directly exposed, the ID of the credential is exposed.

• during execution value of "CREDENTIAL_PARAMETER" will be exposed as env-variable env.CREDENTIAL_PARAMETER, which will contain the credential-ID of selected credential.

• credential-ID can be used to provide actual username/password to the job-script as custom-defined variables using usernamePassword( credentialsId: env.CREDENTIAL_PARAMETER, .. ), see example below:

#!/bin/groovy
pipeline {
    stages {
        stage('Provide "Credentials Parameter" to my shell script') {
            steps {
                withCredentials([usernamePassword(
                        credentialsId: env.CREDENTIAL_PARAMETER,
                        usernameVariable: 'MY_USERNAME',
                        passwordVariable: 'MY_PASSWORD')]) {
                    script {
                        sh( script: "./my_shell_script.sh" )   // echo "$MY_USERNAME, $MY_PASSWORD"
                    }
                }
            }
        }
    }
}

References (look for "credentialsId"):

• https://www.codurance.com/publications/2019/05/30/accessing-and-dumping-jenkins-credentials
• https://docs.cloudbees.com/docs/cloudbees-ci/latest/secure/injecting-secrets
• https://plugins.jenkins.io/credentials-binding/

Answer 2

Just as a note to myself, and hopefully this will help others I'm going to go a bit more in depth than @Alexandre Santos, though his answer is extremely helpful.

The important thing to note is that there is a difference between the Credentials Parameter and the Credentials Binding.

If you are using a parameterized build, you can add a Credentials Parameter that references a credentials binding. When you run the build you'll notice that there is an environment variable that correlates to a credential's GUID in your credential store.

For this to actually be useful you have to inject a "Credentials Binding" into your environment.

Head to the Build Environment section of your job definition. Check Use secret text(s) or file(s). This will actually inject the secret into your build environment. The "Credentials Parameter" created earlier can be used here to let you select different credentials parameters.

For files it will drop the file somewhere in the workspace(?), and then inject a secret environment variable with the full path to the file.

This blog from Cloudbees should help with the rest.

Answer 3

It is possible, but the plugin https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Binding+Plugin needs to be installed. Without it, all you get is a hash to where the credentials can be found.

Once you have the credentials, Jenkins will place them as session environments, which can be retrieved..

Note that the credentials are available only when "Use secret text(s) or file(s)" is enabled in the "Build Environment" section.

Once all is defined, the username and password can be passed either as two different fields or as only one field separated by ":"