发表新帖
发表新帖

Hiding password in Jenkins pipeline script

后端 未结
关注
2 1011
臣服心动
臣服心动 2020-12-05 13:19

I\'m trying to mask a password in my Jenkins build.

I have been trying the mask-passwords plugin.

However, this doesn\'t seem to work with my Jenkins pipelin

2条回答
  • 醉酒成梦
    醉酒成梦 (楼主)
    2020-12-05 13:58

    Looking at this issue, https://issues.jenkins-ci.org/browse/JENKINS-27392, you should be able to do the following:

    node {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: '123ADS', var: 'SECRET']]]) {
        echo env['SECRET'];
    }
}

    However, if you look at the last comments in that issue it doesn't work, seems like a bug. However, if you know the secret and accidentally print int in the logs, the it is hidden, like this:

    node {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: '123ADS', var: 'SECRET']]]) {
        echo "123ADS";
    }
}

    This produces:

    [Pipeline] node
Running on master in workspace/pl
[Pipeline] {
[Pipeline] wrap
[Pipeline] {
[Pipeline] echo
********
[Pipeline] }
[Pipeline] // wrap
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

    Regarding the error you are getting, No such DSL method '$' found among steps ..., I'm just guessing but you are probably using ${VAR} directly in the pipeline script, ${...} is only relevant inside strings in groovy.

    EDIT: Or you can use the Credentails Plugin and pipeline step withCredentials:

    // Credential d389273c-03a0-45af-a847-166092b77bda is set to a string secret in Jenkins config.
node {
    withCredentials([string(credentialsId: 'd389273c-03a0-45af-a847-166092b77bda', variable: 'SECRET')]) {
        bat """
if ["${SECRET}"] == ["123ASD"] echo "Equal!"
""";
    }
}

    This results in:

    [Pipeline] node
Running on master in workspace/pl
[Pipeline] {
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] bat
[pl] Running batch script

workspace/pl>if ["****"] == ["****"] echo "Equal!" 
"Equal!"
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

    Note that this plugin binds the variable directly to the closure and not the environment as the other, e.g. I can use the variable SECRET directly.

    0 讨论(0)
 看不清?
提交回复
热议问题