I'm trying to apply best practices to my jenkins pipelines, so I'm trying to apply the recommendation that Groovy string interpolation should never be used with credentials
First I'm executing in my pipeline as recommended in Jenkins documentation - interpolation of sensitive vars, so I use single quotes in my script:
withCredentials([usernamePassword(credentialsId: 'my-docker-user', passwordVariable: 'docker_pwd', usernameVariable: 'docker_usr')]) {
dcheckScriptResult = sh label: 'Retrieving image', script: ''' docker login -u $docker_usr -p $docker_pwd $dockerRegistry ''', returnStatus: true
echo "dcheckScriptResult = $dcheckScriptResult"
}
But I'm getting as a result:
04:59:04 + docker login -u **** -p ****
04:59:04 Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
Now I try as it is considered wrong (double quotes):
dcheckScriptResult = sh label: 'Retrieving image', script: """ docker login -u $docker_usr -p $docker_pwd $dockerRegistry """, returnStatus: true
echo "dcheckScriptResult = $dcheckScriptResult"
And it works...but with the warning about using the groovy interpolation:
05:11:54 Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
05:11:54 Affected argument(s) used the following variable(s): [docker_pwd, docker_usr]
05:11:54 See https://jenkins.io/redirect/groovy-string-interpolation for details.
05:11:54 + docker login -u **** -p **** myrepository.mycompany
05:11:54 WARNING! Your password will be stored unencrypted in /home/ccloud/.docker/config.json.
05:11:54 Configure a credential helper to remove this warning. See
05:11:54 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
05:11:54
05:11:54 Login Succeeded
Any idea what I'm missing?
Related
I have password that looks like this KMqJH9OL?LoNw:w=ZgD1;?zLrH<c. Now when I am trying to input this password into the groovy script it breaks because of ; and <.
I have tried different ways to escape this non of it worked. In the below code BITBUCKET_PASS is the one having the above password.
sh '''
yarn cov-report -c ${BUILD_VERSION} -u ${BITBUCKET_USER} -p ${BITBUCKET_PASS} $PWD/backend/test_report/lcov.info
'''
Here's the code that I have tried and it didn't work.
sh '''
yarn cov-report -c ${BUILD_VERSION} -u ${BITBUCKET_USER} -p "${BITBUCKET_PASS}" $PWD/backend/test_report/lcov.info
'''
Please look at the String interpolation in Groovy scripts :
Instead using {} try like this :
sh '''
yarn cov-report -c $BUILD_VERSION -u $BITBUCKET_USER -p $BITBUCKET_PASS $PWD/backend/test_report/lcov.info
'''
How to inject passwords to the build as environment variables(these are job passwords) for deployment through ansible via pipeline or dsl script
First, those job passwords should be registered as credentials inside Jenkins.
Second, you can use said file when calling your ansible-playbook command, through the Credentials Binding plugin.
See "How to use multiple credentials in withCredentials in Jenkins Pipeline"
node {
withCredentials([
usernamePassword(credentialsId: credsId1, usernameVariable: 'USER1', passwordVariable: 'PASS1'),
usernamePassword(credentialsId: credsId2, usernameVariable: 'USER2', passwordVariable: 'PASS2')
...
]) {
sh '''
set +x
ansible-playbook /path/to/ansible-playbook.yml -i /path/to/hosts_list -u AUTO_USER --private-key=/path/to/private-key \
-e $USER1=$PASS1 -e $USER2=$PASS2
'''
}
}
Note: the file should have a JSON content, with your
Jenkins is configured to deploy PCF application. PCF login credentials is configured in Jenkins as variables. Is there any way to fetch the PCF login credential details from Jenkins variables?
echo "Pushing PCF App"
cf login -a https://api.pcf.org.com -u $cduser -p $cdpass -o ORG -s ORG_Dev
cf push pcf-app-04v2\_$BUILD_NUMBER -b java_buildpack -n pcf-app-04v2\_$BUILD_NUMBER -f manifest-prod.yml -p build/libs/*.jar
cf map-route pcf-app-04v2\_$BUILD_NUMBER apps-pr03.cf.org.com --hostname pcf-app
cf delete -f pcf-app
cf rename pcf-app-04v2\_$BUILD_NUMBER pcf-app
cf delete-orphaned-routes -f
Rather than accessing Jenkins credentials outside to manually run your app, you may probably define a simple pipeline in Jenkins and can define a custom script into it to perform these tasks. In script you can access it through credentials() function and use the environment variable in your commands.
E.g.
environment {
CF_USER = credentials('YOUR JENKINS CREDENTIAL KEY')
CF_PWD = credentials('CF_PWD')
}
def deploy() {
script {
sh '''#!/bin/bash
set -x
cf login -a https://api.pcf.org.com -u ${CF_USER} -p ${CF_PWD} -o ORG -s ORG_Dev
pwd
'''
}
I'm getting passwords back from Ansible as part of a Jenkins pipeline, then wanting to mask these passwords in shell scripts fired from Jenkins.
The difficulty is that these passwords are not pipeline parameters or Jenkins credentials.
I can see that the mask passwords plugin allows regular expressions to be masked when pre-defined in Manage Jenkins. What I want to do here is define a regex (or literal string) to mask programmatically.
What I'd like is something like this:
def password = getPasswordFromAnsible()
maskPassword(password)
sh "applogin -u ${username} -p ${password}"
This sh script should generate the following in the console log:
sh "applogin -u my_username -p ******"
One option is to disable command echoing before you run that particular sensitive command, and follow the logic using descriptive text instead:
sh '''
echo "Attempting to login"
set +x
applogin -u ${username} -p ${password}
set -x
echo "Logged in successfully"
'''
What is a secure way to use credentials to make REST API calls from a Jenkinsfile?
For example, the following would not be secure because the username and password are exposed in code:
sh "curl -D- -u username:password -X GET -H 'Content-Type: application/json' http://<ip-of-server-with-rest-api>/path/to/api/endpoint"
You should use Credentials Binding Plugin
Here is an example:
withCredentials([usernamePassword(credentialsId: 'amazon',
usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
// available as an env variable, but will be masked if you try to print it
out any which way
// note: single quotes prevent Groovy interpolation; expansion is by
Bourne Shell, which is what you want
sh 'echo $PASSWORD'
// also available as a Groovy variable
echo USERNAME
// or inside double quotes for string interpolation
echo "username is $USERNAME"
sh "curl -D- -u $USERNAME:$PASSWORD -X GET -H 'Content-Type: application/json' http://<ip-of-server-with-rest-api>/path/to/api/endpoint"
}
Your credentials will be hidden in Console Output.