发表新帖
发表新帖

Hiding password in Jenkins pipeline script

后端 未结
关注
2 982
臣服心动
臣服心动 2020-12-05 13:19

I\'m trying to mask a password in my Jenkins build.

I have been trying the mask-passwords plugin.

However, this doesn\'t seem to work with my Jenkins pipelin

相关标签:
2条回答
  • 醉酒成梦
    2020-12-05 13:58

    Looking at this issue, https://issues.jenkins-ci.org/browse/JENKINS-27392, you should be able to do the following:

    node {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: '123ADS', var: 'SECRET']]]) {
        echo env['SECRET'];
    }
}

    However, if you look at the last comments in that issue it doesn't work, seems like a bug. However, if you know the secret and accidentally print int in the logs, the it is hidden, like this:

    node {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: '123ADS', var: 'SECRET']]]) {
        echo "123ADS";
    }
}

    This produces:

    [Pipeline] node
Running on master in workspace/pl
[Pipeline] {
[Pipeline] wrap
[Pipeline] {
[Pipeline] echo
********
[Pipeline] }
[Pipeline] // wrap
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

    Regarding the error you are getting, No such DSL method '$' found among steps ..., I'm just guessing but you are probably using ${VAR} directly in the pipeline script, ${...} is only relevant inside strings in groovy.

    EDIT: Or you can use the Credentails Plugin and pipeline step withCredentials:

    // Credential d389273c-03a0-45af-a847-166092b77bda is set to a string secret in Jenkins config.
node {
    withCredentials([string(credentialsId: 'd389273c-03a0-45af-a847-166092b77bda', variable: 'SECRET')]) {
        bat """
if ["${SECRET}"] == ["123ASD"] echo "Equal!"
""";
    }
}

    This results in:

    [Pipeline] node
Running on master in workspace/pl
[Pipeline] {
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] bat
[pl] Running batch script

workspace/pl>if ["****"] == ["****"] echo "Equal!" 
"Equal!"
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

    Note that this plugin binds the variable directly to the closure and not the environment as the other, e.g. I can use the variable SECRET directly.

    0 讨论(0)
  • 感动是毒
    2020-12-05 14:17

    The simplest way would be to use the Credentials Plugin.

    There you can define different types of credential, whether it's a single password ("secret text"), or a file, or a username/password combination. Plus other plugins can contribute other types of credentials.

    When you create a credential (via the Credentials link on the main Jenkins page), make sure you set an "ID". In the example below, I've called it my-pass. If you don't set it, it will still work, Jenkins will allocate an opaque UUID for you instead.

    In any case, you can easily generate the required syntax with the snippet generator.

    withCredentials([string(credentialsId: 'my-pass', variable: 'PW1')]) {
    echo "My password is '${PW1}'!"
}

    This will make the password available in the given variable only within this block. If you attempt to print the password, like I do here, it will be masked.

    0 讨论(0)
 看不清?
提交回复
热议问题