VSTS secrets as environment variables - environment-variables

In the VSTS build, I set various variables (Edit build -> Variables tab), some I set as secret (click the lock), some I don't.
In the build, I run a command prompt task to run set -- e.g. show me all the environment variables. Those marked as secret aren't present.
How do I get VSTS secrets into environment variables?

Secret variables are:
Encrypted at rest with a 2048-bit RSA key.
Not returned back to the client. They are automatically masked out of
any log output from the build or release.
Not decrypted into environment variables. So scripts and programs run
by your build steps are not given access by default.
Decrypted for access by your build steps. So you can use them in
password arguments and also pass them explicitly into a script or a
program from your build step (for example as $(password)).
So, Secure variables need to be passed in to tasks as inputs. Check this case: How to add secret variable as task environment variable in VSTS

Related

How to inject dynamic secret parameters from Jenkins job execute shell script

I am working on jenkins, which has dropdownlist/select list load with set MQ broker details. Each broker have different passwords stored in AWS secrets manger. I have written shell script to fetch password AWS secrets manager, i can able to get the password in execute shell build step.
I tried using mask passwords plugin-> mask passwords and regex, i am using same variable(BR_PASSWORD) defined in mask password option, even in shell script also.
What i provided default value with variables defined in global or password parameter , for default value.
All these options masking defined in default password in console output. But values which are coming trough shell script dynamically is not masking in console out put.
please add an example of your code.
And use groove string 'command ' for mask passwords
sh '$password'

Differentiating deployment ENV in properties file using Jenkins

So i have a Python script which does grant access (whitelist) users in websphere.
I have integrated this with Jenkins and a properties file in GIT that has list of users.
When I execute the jenkins job which runs on a slave machine as restricted in the setup.
What i now need to do is to differentiate the deployment env from non-prod and prod.
whitelists / passwords for prod Systems should not be stored as part of the repo but somewhere else on the target machine / prod System or even as a manual input to the target location if you do not deploy that frequently.
This being said, you can use conditional pipeline steps. The block after the when keyword will be executed only if the expression evaluates to true: Examples: env.TARGET_SYSTEM = 'prod' or GIT_BRANCH.startsWith("PROD")
You can have a block for non-prod systems where you copy the whitelist file to the apps target dir, and an other one for prod ones where you just check for the existence of the file (if it does not exist you can request a manual interaction and send out an email to copy the file here and there)
In case for you it is totally fine to have production data as part of the repo then simply use good old filename convention:
sh "cp whitelist.${params.TARGET_SYSTEM}.properties /my/target/dir"
where filenames are like: whitelist.non-prod.properties and whitelist.prod.properties . TARGET_SYSTEM is a parameter of the job

Jenkins build pipeline providing env vars for different environments

I have a public git repository that has a Jenkinsfile. The Jenkinsfile needs to be able to build three environments: dev, staging and production.
There's a set of variables that need to be set for each environment - some of these are sensitive and I wouldn't want to put them in the public repo. Some examples:
S3_BUCKET_URL
API_ENDPOINT
API_USERNAME
API_PASSWORD
etc.
In an ideal world I'd like a build parameter, e.g. BUILD_ENV that has the options: 'dev', 'staging' and 'prod' and some logic that sets the relevant vars dependent on env selection.
I've looked at the credentials pluglins, but they don't handle multiple envs and the UI seems awkward. Plus the env vars are accessible centrally, whereas we need them to be directly tied to the build job.
I've also looked at the env inject plugin, which works for setting properties, but there doesn't appear to be a way to make it vary those properties based on a chosen build parameter.
Is there a way to achieve this with the build pipeline? Surely there must be a plugin that already provides this capability?

Using parameterized credentials in Jenkins

Say I've got dev, qa, and stable server environments for some web app, with corresponding git branches. Each environment should be continuously integrated. Each of these environments has a separate username/password pair used to publish the app. I would like to make a Jenkins multiconfiguration (matrix) job to publish to all of these environments. The publishing almost certainly must be done with a shell script.
My failed attempt consisted of using the Jenkins Credentials and Credentials Binding plugins. Credentials Binding provides a way to inject credentials as environment variables using a parameter. However, setting this parameter dynamically (i.e., something like if ENV == dev: CREDS = CREDS_dev) doesn't appear to be possible. Build scripts happen afterwards, and even using the Environment Script plugin doesn't work.
Is there any way for this to happen?
Had similar situation and used groovy script with parameterized build (https://wiki.jenkins-ci.org/display/JENKINS/EnvInject+Plugin). In my case I had a choice parameter defined as "DEPLOY" and had different values, like "Test", "Release", then in the following groovy script (Evaluated Groovy script):
if ("Test".equals(DEPLOY)) {def map = [DEPLOY_URL: "http://someurl", DEPLOY_STORAGE: "testaccount"]; return map }
You should be able to specify your credentials in here or copy env variables. After that you can access these variables in windows batch command using:
echo %DEPLOY_URL%
echo %DEPLOY_STORAGE%
I also had another choice parameter defined "Deploy.Branch", with values of "dev" and "master". And used it as a parameter to Branches to Build, the value was set to (if you want to dynamically specify branch based on parameters):
*/${Deploy.Branch}
Hope this helps.
Here's what I ended up doing. It's kind of a workaround for what I would argue is a flawed design or missing use case in Jenkins.
Redid my creds so they have standard IDs (this is in the Advanced part and you can't set it after creation)
Matrix job runs a trivial script to figure out what env maps to what creds ID, then triggers...
The main job that does the deployment

How to pass the password to the jenkins build

I have a java class where it requires the password of an user which is stored in the local machine of the user, when i trigger the build in master Jenkins, build is failed due to the authentication where it searching for the user password which is not available in the machine.How can i make it generics to the Jenkins to get the build successful.
Set the Environment Variables instead of hard code.
Example:
For each machine, set this variable first
Your local
set PATH_TO_MY_PASSWORD="U:/authentication/pw.txt"
Jenkins
set PATH_TO_MY_PASSWORD="C:/my_jenkins/pw.txt"
Then change your code to:
private static final String PASSWORD_FILE_PATH = System.getenv("PATH_TO_MY_PASSWORD");

Resources