I need to prevent using credentials by every projects. I.e. test1 project should be able to access only test1-cred and only if it is started by user1 from Gitlab or directly in Jenkins. Also this should be supported by Jenkins declarative pipeline. If you use specific credentials in Jenkinsfile which are not allowed for current project - Jenkins shouldn't allow to use them.
How can I implement such a behavior?
As far as I know there are three common places to configure credentials in Jenkins: by user, by folder or globally
It seems that the folder plugin would suit your use case. It allows to organize your projects in folders. For each folder you can configure access rights and credentials.
More informations on credentials: https://plugins.jenkins.io/credentials
Related
We are implementing a GitOps like CI/CD in Jenkins. Where we are deploying to Openshift/Kubernetes. For sake of simplicity lets say we have only 2 repositories:
First with the application source code , there is also Jenkinsfile in the source that defines the build. (that also pushes images to a repository.)
We ha a second repository where the deployment pipeline is defined (jenkinsfile). This pipeline deploys image to production (think "kubectl apply").
The problem is that the pipeline (2) needs to access credentials that are used to authenticate (against kubernetes api) to productions. We thought to store these credentials in Jenkins. Where we don't want in same Jenkins the first (1) pipeline to have access to these production credentials.
How could we solve this with Jenkins? (How to store these credentials)
thank you
Just to capture from the comments, there's effectively an answer from #RRT in another thread ( https://stackoverflow.com/a/42721809/9705485 ) :
Using the Folders and Credentials Binding plugin, you can define credentials on the folder level that are only available for the job(s) inside this folder. The folder level store becomes available once you made the folder.
Source: https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs
Another example of adding scoped credentials (this one for dockerhub credentials) is https://liatrio.com/building-docker-jenkins-pipelines/
I have installed latest Jenkins on ubuntu server and Jenkinsfile in my project repo on Gitlab.
I am able to connect to private repo on Gitlab using username/password credential on Jenkins configuration for the project pipeline without using Jenkins Gitlab plugin. This does not seem safe to me. How can I use Gitlab API token instead of username/password for Jenkins to access remote private Gitlab repo without using Jenkins Gitlab plugin. Another option is to set ssh private key on Jenkins server to athenticate against Gitlab repo. Is this option possible?
Jenkins Gitlab plugin is not officially supported and not well maintained because Gitlab wants customers to user their own CI/CD solution in order to tie customers to their platform for marketing reasons.
A relatively safe way to handle this situation is to store your credentials is the credentials system in Jenkins (that way you do not have to include the credentials in the JenkinsFile), and using a deploy token (available for Gitlab 10.7 and later) for the relevant repository. That token allows you to provide read-only rights to the repository.
Step 1 - setup the deploy token in GitLab
From the GitLab documentation
You can create as many deploy tokens as you like from the settings of your project:
Log in to your GitLab account.
Go to the project you want to create Deploy Tokens for.
Go to Settings > Repository.
Click on “Expand” on Deploy Tokens section.
Choose a name and optionally an expiry date for the token.
Choose the desired scopes.
Click on Create deploy token.
Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
Step 2 - Saving the deploy token in Jenkins' credentials system
Since the deploy tokens have a username and password, pick that as the type in the steps below. Write down the id you will use in this step (see below) as you will need it in your pipeline declaration.
From the Jenkins documentation
To add new global credentials to your Jenkins instance:
If required, ensure you are logged in to Jenkins (as a user with the Credentials > Create permission).
From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Credentials > System on the left.
Under System, click the Global credentials (unrestricted) link to access this default domain.
Click Add Credentials on the left. Note: If there are no credentials in this default domain, you could also click the add some credentials link (which is the same as clicking the Add Credentials link).
From the Kind field, choose the type of credentials to add.
From the Scope field, choose either:
Global - if the credential/s to be added is/are for a Pipeline project/item. Choosing this option applies the scope of the credential/s to the Pipeline project/item "object" and all its descendent objects.
System - if the credential/s to be added is/are for the Jenkins instance itself to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential/s to a single object only.
Add the credentials themselves into the appropriate fields for your chosen credential type:
(...)
Username and password - specify the credential’s Username and Password in their respective fields.
(...)
In the ID field, specify a meaningful credential ID value - for example, jenkins-user-for-xyz-artifact-repository. You can use upper- or lower-case letters for the credential ID, as well as any valid separator character. However, for the benefit of all users on your Jenkins instance, it is best to use a single and consistent convention for specifying credential IDs. Note: This field is optional. If you do not specify its value, Jenkins assigns a globally unique ID (GUID) value for the credential ID. Bear in mind that once a credential ID is set, it can no longer be changed.
Specify an optional Description for the credential/s.
Click OK to save the credentials.
Step 3 - Use the credentials in your pipeline declaration
You can use the credentials in your jenkinsFile like so:
pipeline {
stages {
stage('Clone stage') {
steps {
git url: 'https://gitlab.com/[username]/[my-repo].git', branch: 'master', credentialsId: 'my-gitlab-repo-creds'
}
}
}
}
In the above example I assume you picked the id my-gitlab-repo-creds in step 2.
Is there a way to add global tool configurations for artifactory and aws in jenkins through cli?
I'm trying to write chef cookbook for automating creation of Jenkins job, but I don't know how to add credentials for tools.
Credentials don't depend on the tools which will use them.
You can register credentials in general through the JENKINS Credentials Plugin API: see for instance
How to create jenkins credentials via the REST API? (similar to jenkins_api_client issue 162)
update Jenkins credentials by script
You can then use those credentials in association with a Jenkins Job.
Your question is twofold.
Credentials
The Jenkins chef cookbook offers a jenkins_credentials resource, which allows you to pipe credentials (using Jenkins API internally) into your Jenkins instance.
Global Tool Configuration
You can use the jenkins_script resource of the same cookbook to execute any Groovy script. This allows you to configure your Jenkins instance. You now just have to figure out exactly, what the code is to, e.g., select the previously defined credentials. But the code looks similarly to the example given in the cookbook's README.
Many times I have the need to download files (e.g. archives) from a remote repository (e.g. maven-repo) which is protected by username/password.
Its easy to get such a file with curl or wget, but when I don't like to see the password on the logs, maybe there is a better/embedded way to do this from within a jenkins workflow? And how do I combine it with credentials managed by jenkins credential plugin?
Use the Credentials Binding plugin, which integrates with Workflow.
I am using Jenkins installed on CentOS release 6.3 and Jenkins 1.474. I am using Project-based Matrix Authorization Strategy so that only users in specific AD groups are allowed to log in to Jenkins and view particular jobs.
However I am trying to give anonymous access to workspaces for jobs so I can do a wget and specify the http URL. This is so the hosts I am managing via Jenkins can get certain hosts.
I have added Anonymous to the Project-based Matrix Authorization Strategy section and ticked workspaces but this isn't working. When doing a wget I can access forbidden and when I put the URL in to a browser, I am asked to login. I have also configured Anonymous to have access to the workspace on the job itself, but still get access forbidden.
Has anyone got any ideas as to why his is not working?
We are using Jenkins version 1.475
We have the following enabled for anonymous access:
Overall:
Read -> Enabled
Job:
Read -> Enabled
Workspace -> Enabled
This allows access to anonymous users to view the Dashboard and the Jobs and also to the workspace...
As of Jenkins ver. 1.609.1, the changes can be made under
Configure Global Security | Configure Global Security (or htTps://<your jenkins host>/configureSecurity/).
Similar to sdmythos_gr's answer just set Overall Read and Job Read for Anonymous.