I want to use scp/ssh to upload some files to a server. I discover that I need to use certificate-based authentication, but the question is how? Really what I want to do is to use the same sort of credentials I use with git - passworded ssh cert stored in Jenkins. However, I can't work out how to - the snippet generator has no obvious option for that.
What do others do? Is there an undocumented feature that would do this?
withCredentials([sshUserPrivateKey(credentialsId: "yourkeyid", keyFileVariable: 'keyfile')]) {
stage('scp-f/b') {
sh 'scp -i ${keyfile} do sth here'
}
}
Maybe this is what you want. Install Credentials Plugin and
Credentials Binding Plugin. Add some credentials and then you will get "yourkeyid", bind this credentials to keyFileVariable, passphraseVariable etc.
More details and documentation can be found on the Github site of the Jenkins Credentials Binding Plugin, Credentials Binding Plugin docs, Credentials Plugin, SSH Pipeline Steps plugin
If you install the SSH Agent plugin you can use the ssh-agent pipeline step to run a shell script with an ssh-agent active. The ssh-agent takes a Jenkins credentials ID (a passworded ssh cert, like the one you have for git).
Related
Having issues creating an ssh credential in Jenkins that allows access to GitLab. I have 2 AWS instances, one with GitLab and one with Jenkins. I would like to setup a multibranch pipeline in Jenkins to run a GitLab repo. I am able to create the pipeline and can access GitLab if I use a username/password credential (using "root"/initial password) but would like to use the more secure route of using a username/SSH credential. I have generated the SSH (of the ed25519 variety) in the GitLab instance (while in root). Then, in GitLab, supplied the public key to the root user. Then, in Jenkins, provided the private SSH key and set username as "root" in a username/SSH credential. When I try to run the pipeline using the username/SSH credential I get an error indicating that it is not authorized. Should I be using a different username? Should I be generating the SSH key in a different location?
Well, I figured it was something small I was missing. I was configuring the pipeline job for the http url of the repo rather than the SSH url. Once I changed that, it worked right away.
I'm new to Jenkins world, I have a usecase where I have setup a jenkins pipeline using JenkinsFile. As part of deployment stage, we will invoke a few ansible script in the backend to get the image deployed into Kubernetes cluster running in cloud environment. The script expects few secrets in environment variable, so I like to understand which is the best option to handle secret in Jenkins, do I need them to enter into jenkins credentials and read them in jenkins environment tag like below. Or It is safe to get the value from the user using input plugin when executing the pipeline, but if I get from user then I would not able to completely automate pipeline will wait until user input the secret. Could you help in safe way to handle credentials.
pipeline{
agent any {
environment {
SECRET_VALUE=credentials('SECRET_VALUE_FROM_JENKINS_CREDENTIALS')
}
}
}
It depends on your use case, Indeed both approaches as you mentioned above will work.
There shouldn't be any problem in keeping your secrets as Jenkins credentials, in my case, all my secrets are in the Hashicorp vault and my Jenkins credentials point to the vault location as an example...
- usernamePassword:
scope: GLOBAL
id: serviceUser
username: svc_admin
password: "${secret/xyz/service_user/password}"
description: My secret service user
The Jenkins deployment is via JCasC.
As jenkins admin I can say it is safe to store credentials in jenkins.
Just create credentials in jenkins and use in a pipeline. Also it's nice to have mask password plugin installed in jenkins, which will mask credentials in jenkins jobs' output.
I am using SSH Agent Plugin version 1.17 with Jenkins version 2.190.3
When I create credentials using
Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add Credentials
But when I create jenkins job type Freestyle project, I don't see credentials in ssh agent drop down.
Please advise what I am missing
Ref:
https://wiki.jenkins.io/display/JENKINS/SSH+Agent+Plugin
https://support.cloudbees.com/hc/en-us/articles/360029470091-How-to-use-the-SSH-Agent-Plugin
Jenkins plugin ssh-agent showing "ERROR: Failed to run ssh-add"
Update:
Issue is open for credentials (username/password) https://issues.jenkins-ci.org/browse/JENKINS-59807
but good thing is that it works with private key :)
You have to select Kind as SSH Username with private key to be able to specific use credentials in ssh agent:
There are lots of question on here about Permission denied (publickey) errors when using the Jenkins git plugin.
Can someone explain the authentication flow this plugin uses to check out a repository? I can't find a good description on the plugin page.
I want to just SSH into the build slave, checkout the repository there, then run my job, but clearly that is not how it works.
I guess I could add my credentials to the jenkins master, but I dont want any code there. I want it on my build slave.
Issue has nothing to do with git really. As their documentation states, it relies on git runtime which in its turn relies on system environment when it comes to secure connections. Ssh requires client to have valid key to connect and fails to that message if client does not provide one. Without any additional actions, key is not injected into environment, so client could not provide any valid key.
What you actually can use is ssh agent plugin. That allows to add key to ssh-agent on slave that will be catched up by git.
When I try to run my build on a slave node using jenkins I get the following error:
Could not find a suitable ssh-agent provider
Does anyone know why and how I can avoid the error?
Assuming you've installed Windows Git on Windows slave, it comes with ssh-agent binary (e.g. C:\Program Files\Git\usr\bin). Try adding its path to system variable PATH.
Alternatively generate personal API token (OAuth) for that GitHub user and specify along with your repository address, e.g.
git clone https://4UTHT0KEN#github.com/foo/bar
If you have Windows slave and SSH Credentials plugin that is because Windows doesn't provide ssh-agent. If you're using SSH Credentials plugin for provide key to git to check out a repo in comand-line step, you can provide key to git client on each agent (because git have ssh-agent). If your case not that I supposed, you need to follow steps described here in second comment.