Using credentials from jenkins store in a jenkinsfile

问题:

I made a multibranch pipeline project in jenkins. I need to use two repositories and both need credentials.

I created a Jenkinsfile in repository1:

node ('label1'){   stage 'sanity check'   sh 'echo sanity check'   stage 'checkout other repository'   checkout([     $class: 'GitSCM', branches: [[name: '*/master']],     userRemoteConfigs: [[url: 'https://BRNTZN@bitbucket.org/BRNTZN/repository2.git'],[credentialsId:'23b2eed1-2863-49d5-bc7b-bcccb9ad914d']]   ])   stage 'log results'   sh 'echo result = OK'  } 

When I push this file onto a branch of repository1 and start the build I get the following error in jenkins:

Branch indexing Setting origin to https://BRNTZN@bitbucket.org/BRNTZN/repository1.git Fetching origin...  > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository  > git config remote.origin.url https://BRNTZN@bitbucket.org/BRNTZN/repository1.git # timeout=10 Fetching upstream changes from https://BRNTZN@bitbucket.org/BRNTZN/repository1.git  > git --version # timeout=10 using .gitcredentials to set credentials  > git config --local credential.username BRNTZN # timeout=10  > git config --local credential.helper store --file=/tmp/git1367320661933193799.credentials # timeout=10  > git -c core.askpass=true fetch --tags --progress https://BRNTZN@bitbucket.org/BRNTZN/repository1.git +refs/heads/*:refs/remotes/origin/*  > git config --local --remove-section credential # timeout=10 Checking out Revision d997a29e9d1f639d56eb425ec00e03309e099c7a (jenkinsfilebranch1)  > git config core.sparsecheckout # timeout=10  > git checkout -f d997a29e9d1f639d56eb425ec00e03309e099c7a  > git rev-list f81d0d366fd751857a2640c587817f4d047a15af # timeout=10 [Pipeline] node Running on jenkins agent (i-07353fc08cb42f10e) in /var/jenkins/workspace/multiBranch/jenkinsfilebranch1 [Pipeline] { [Pipeline] stage (sanity check) Entering stage sanity check Proceeding [Pipeline] sh [jenkinsfilebranch1] Running shell script + echo sanity check sanity check [Pipeline] stage (checkout other repository) Entering stage checkout other repository Proceeding [Pipeline] checkout  > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository  > git config remote.origin.url https://BRNTZN@bitbucket.org/BRNTZN/repository2.git # timeout=10 Fetching upstream changes from https://BRNTZN@bitbucket.org/BRNTZN/repository2.git  > git --version # timeout=10  > git -c core.askpass=true fetch --tags --progress https://BRNTZN@bitbucket.org/BRNTZN/repository2.git +refs/heads/*:refs/remotes/origin/* ERROR: Error fetching remote repo 'origin' hudson.plugins.git.GitException: Failed to fetch from https://BRNTZN@bitbucket.org/BRNTZN/repository2.git     at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:799)     at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1055)     at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1086)     at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)     at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:83)     at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:73)     at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:52)     at hudson.security.ACL.impersonate(ACL.java:213)     at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:49)     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)     at java.util.concurrent.FutureTask.run(FutureTask.java:262)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)     at java.lang.Thread.run(Thread.java:745) Caused by: hudson.plugins.git.GitException: Command "git -c core.askpass=true fetch --tags --progress https://BRNTZN@bitbucket.org/BRNTZN/repository2.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: stdout:  stderr: remote: Invalid username or password. If you log in via a third party service you must ensure you have an account password set in your account profile. fatal: Authentication failed for 'https://BRNTZN@bitbucket.org/BRNTZN/repository2.git/'      at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1723)     at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1459)     at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:63)     at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:314)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:152)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:145)     at hudson.remoting.UserRequest.perform(UserRequest.java:153)     at hudson.remoting.UserRequest.perform(UserRequest.java:50)     at hudson.remoting.Request$2.run(Request.java:332)     at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)     at java.util.concurrent.FutureTask.run(FutureTask.java:262)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)     at java.lang.Thread.run(Thread.java:744)     at ......remote call to jenkins agent (i-07353fc08cb42f10e)(Native Method)     at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1416)     at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)     at hudson.remoting.Channel.call(Channel.java:781)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:145)     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     at java.lang.reflect.Method.invoke(Method.java:606)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:131)     at com.sun.proxy.$Proxy75.execute(Unknown Source)     at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:797)     ... 13 more [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline ERROR: null Finished: FAILURE 

The credentials should be correct:

And using those credentials for that repository in a freestyle project gives no error:

Update I created a freestyle project using ssh credentials and added that public key to my bitbucket account to test if I can make ssh work:

This worked:

    Started by user admin Building remotely on jenkins agent (i-039385e75b60d70f7) (label1) in workspace /var/jenkins/workspace/gitcredentials test  > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository  > git config remote.origin.url git@bitbucket.org:BRNTZN/repository2.git # timeout=10 Fetching upstream changes from git@bitbucket.org:BRNTZN/repository2.git  > git --version # timeout=10 using GIT_SSH to set credentials jenkinsmaster key  > git -c core.askpass=true fetch --tags --progress git@bitbucket.org:BRNTZN/repository2.git +refs/heads/*:refs/remotes/origin/*  > git rev-parse refs/remotes/origin/master^{commit} # timeout=10  > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10 Checking out Revision 1d51064143e7337cbc0b1910918166facc9c2330 (refs/remotes/origin/master)  > git config core.sparsecheckout # timeout=10  > git checkout -f 1d51064143e7337cbc0b1910918166facc9c2330 First time build. Skipping changelog. Finished: SUCCESS 

However when updating the jenkinsfile in the following way:

node ('label1'){   stage 'sanity check'   sh 'echo sanity check'   stage 'checkout other repository'   checkout([     $class: 'GitSCM', branches: [[name: '*/master']],     userRemoteConfigs: [[url: 'git@bitbucket.org:BRNTZN/repository2.git'],[credentialsId:'jenkinsmaster']]   ])   stage 'log results'   sh 'echo result = OK'  } 

I still get the same error:

Started by user admin Setting origin to git@bitbucket.org:BRNTZN/repository1.git Fetching origin...  > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository  > git config remote.origin.url git@bitbucket.org:BRNTZN/repository1.git # timeout=10 Fetching upstream changes from git@bitbucket.org:BRNTZN/repository1.git  > git --version # timeout=10 using GIT_SSH to set credentials jenkinsmaster key  > git -c core.askpass=true fetch --tags --progress git@bitbucket.org:BRNTZN/repository1.git +refs/heads/*:refs/remotes/origin/* Checking out Revision 29fc47911827d829f5abe9456bd8df78bc478fe7 (jenkinsfilebranch1)  > git config core.sparsecheckout # timeout=10  > git checkout -f 29fc47911827d829f5abe9456bd8df78bc478fe7  > git rev-list 29fc47911827d829f5abe9456bd8df78bc478fe7 # timeout=10 [Pipeline] node Running on jenkins agent (i-039385e75b60d70f7) in /var/jenkins/workspace/multiBranch/jenkinsfilebranch1 [Pipeline] { [Pipeline] stage (sanity check) Entering stage sanity check Proceeding [Pipeline] sh [jenkinsfilebranch1] Running shell script + echo sanity check sanity check [Pipeline] stage (checkout other repository) Entering stage checkout other repository Proceeding [Pipeline] checkout  > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository  > git config remote.origin.url git@bitbucket.org:BRNTZN/repository2.git # timeout=10 Fetching upstream changes from git@bitbucket.org:BRNTZN/repository2.git  > git --version # timeout=10  > git -c core.askpass=true fetch --tags --progress git@bitbucket.org:BRNTZN/repository2.git +refs/heads/*:refs/remotes/origin/* ERROR: Error fetching remote repo 'origin' hudson.plugins.git.GitException: Failed to fetch from git@bitbucket.org:BRNTZN/repository2.git     at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:799)     at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1055)     at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1086)     at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)     at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:83)     at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:73)     at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:52)     at hudson.security.ACL.impersonate(ACL.java:213)     at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:49)     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)     at java.util.concurrent.FutureTask.run(FutureTask.java:262)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)     at java.lang.Thread.run(Thread.java:745) Caused by: hudson.plugins.git.GitException: Command "git -c core.askpass=true fetch --tags --progress git@bitbucket.org:BRNTZN/repository2.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: stdout:  stderr: Permission denied (publickey). fatal: Could not read from remote repository.  Please make sure you have the correct access rights and the repository exists.      at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1723)     at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1459)     at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:63)     at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:314)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:152)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:145)     at hudson.remoting.UserRequest.perform(UserRequest.java:153)     at hudson.remoting.UserRequest.perform(UserRequest.java:50)     at hudson.remoting.Request$2.run(Request.java:332)     at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)     at java.util.concurrent.FutureTask.run(FutureTask.java:262)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)     at java.lang.Thread.run(Thread.java:744)     at ......remote call to jenkins agent (i-039385e75b60d70f7)(Native Method)     at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1416)     at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)     at hudson.remoting.Channel.call(Channel.java:781)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:145)     at sun.reflect.GeneratedMethodAccessor1180.invoke(Unknown Source)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     at java.lang.reflect.Method.invoke(Method.java:606)     at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:131)     at com.sun.proxy.$Proxy75.execute(Unknown Source)     at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:797)     ... 13 more [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline ERROR: null Finished: FAILURE 

回答1:

Your GitSCM class instantiation is incorrect. What you have is creating two UserRemoteConfig objects - one with a url of 'git@bitbucket.org:BRNTZN/repository2.git' and one with a credentialsId of 'jenkinsmaster'. Instead you want one object with both properties set.

checkout([   $class: 'GitSCM', branches: [[name: '*/master']],   userRemoteConfigs: [[url: 'git@bitbucket.org:BRNTZN/repository2.git'],[credentialsId:'jenkinsmaster']] ]) 

Should be

checkout([   $class: 'GitSCM', branches: [[name: '*/master']],   userRemoteConfigs: [[url: 'git@bitbucket.org:BRNTZN/repository2.git',credentialsId:'jenkinsmaster']] ]) 

I had just ran into the same issue and connected up an eclipse debugger to Jenkins to find the issue.

See https://issues.jenkins-ci.org/browse/JENKINS-45007

回答2:

I've had the exact same issue: checkout using credentials in a freestyle project works fine, checkout in a shell (as jenkins user) works fine, checkout in the pipeline fails. I've updated Jenkins + plugins to the latest version.

I finally managed to get it to work by placing the correct key in /var/lib/jenkins/.ssh/id_rsa. It looks like the GitSCM plugin completely ignores the provided credentialsId, and just uses the key in /var/lib/jenkins/.ssh/id_rsa. I generated a keypair without passphrase for this.

It is a workaround, and I suspect that GitSCM has a bug, but at least you can use the pipeline plugin.

回答3:

What kind of credentials do you use ?

I suggest that you use SSH credentials (i.e. private/public keys) :

1. Generate a SSH key pair (make sure you generate it for the correct username !)
2. Add your public SSH key to your Bitbucket account
3. Configure your Jenkins to use your newly created SSH private key, as shown in the example below :

Then you need to use SSH URL as connection to your Git your credentials in your pipeline (instead of HTTP URL), as follows :

checkout([     $class: 'GitSCM', branches: [[name: '*/master']],     userRemoteConfigs: [[url:'ssh://BRNTZN@bitbucket.org:BRNTZN/repository2.git'],[credentialsId:'jenkins_ssh_key']] ]) 

Also, note that you might want to set a specific id for your credentials (e.g. jenkins_ssh_key or BRNTZN_ssh_key) to improve readability and simplify pipeline configuration.

回答4:

As stated in Pipeline plugin tutorial, for a multibranch project, you don't have to specify the repository in the node. Just use checkout scm.

文章来源: Using credentials from jenkins store in a jenkinsfile