How to secure credentials on a buildserver?

Question

I got a setup where the developers push code to a repository, which then triggers a build on our CI Server. The deployment is currently also done by CI server. For deployment to the production environment, jenkins needs to login as root on the prod-servers.

That means that I have to put the credentials (e.g. username / password or secret key) onto the CI system. This leads to the problem that every developer that has access to the repository, is able to read these secret credentials by injecting code into the build process.

How can I make sure that access to the repo doesn't give potential access to the credentials on my CI server?

Answer 1

You can use Jenkins "Credentials" objects (of the "Credentials" plugin), just for that. Navigate to "Credentials" from the Jenkins side menu and create a new Credentials item. Those items are saved inside Jenkins, not in the SCM repository.

You can then use those credentials from a Jenkins pipeline or freestyle job. Setup Jenkins permissions so developers have no access to Credentials. Jenkins protects against leaking those credentials to the console output by replacing them with asterisks (***).

If you're using a jenkinsfile, you're actually giving full control to the developers - this is a bad security practice! To separate Developer and DevOps roles, I would create a seperate Jenkins job that only deploy artifact(s) to production. Do NOT store the deployment pipeline in jenkinsfile (or store it in a new "DevOps" repository with different permissions). Configure the build job to trigger the deployment job when successful. Safeguard access to credentials and deployment job using scopes/permissions