Develop Reference

What is the best way to login to the Azure Devops CLI from a Release Pipeline?

I am using the Azure Devops CLI on one of my pipelines. In order to use the CLI I need first login (authenticate). Unlike using the REST API, I can't use the OAuth token that is available to me.
So here's my understanding of my options:
I can do an "az login" using a PAT that I map to this environment variable:
AZURE_DEVOPS_EXT_PAT
THIS IS THE WAY I'm doing it now.
Apparently you can use a Service Principal. I like this the most because I should theoretically be able to have this principal apply to everyone on my team. Is that correct?
Use "az login" with a user/password. This is least desirable way to doing it because it involves passing around credentials. Too messy.
Although my pipeline has the OAuth token expost (System.AccessToken), it cannot be use by the CLI. For example is I try to assign the value of the OAuth token to the AZURE_DEVOPS_EXT_PAT it fails (AZURE_DEVOPS_EXT_PAT=$System.AccessToken).
Questions:
Is it possible to use the OAuth token to log in to the CLI?
Is the Service Principal the best way to go?
Additional Info:
I do not have subscriptions only a tenant-id, we're not creating any Azure resources, we're an AWS shop that happens to be using ADO only for CICD.

Use az devops login instead of az login
From your pipeline use:
- script: echo $(AccessToken) | az devops login
env:
AccessToken: $(System.AccessToken)
Few interesting notes:
Secrets (like System.AccessToken) are available to scripts unless you pass them in explicitly as environment variables
the System.AccessToken variable is the default access token of the build agent
there is a project-specific build agent and a project-collection build agent. The one you use is actually controlled by the 'limit access to current project scope' flag in the Pipeline settings for the project.
you may need to elevate permissions for the build agent if you're trying to manipulate objects. For example, you could grant the Create Tag permission on a repository if you wanted the build agent to update the repository.
you can also create your own PAT token with permissions that you specify.

Webhook for Jenkins without credentials in URL

I've got a webhook setup in GitLab to detect whenever changes are pushed to the project repo. This works as needed, however the URL in use contains my Jenkins credentials and I'd like to make this more secure. e.g.:
https://username:password#jenkins.url.com/project/git-project
Is there a way to generate a token of sorts in Jenkins instead of providing my username and password?

There are access tokens in GitLab, you can use it. From Jenkins part, you can install GitLab plugin and then add new credentials for SSH and GitLab API Token. Please see this and this for more details.

How to configure Jenkins to access Gitlab private repository without Gitlab plugin?

I have installed latest Jenkins on ubuntu server and Jenkinsfile in my project repo on Gitlab.
I am able to connect to private repo on Gitlab using username/password credential on Jenkins configuration for the project pipeline without using Jenkins Gitlab plugin. This does not seem safe to me. How can I use Gitlab API token instead of username/password for Jenkins to access remote private Gitlab repo without using Jenkins Gitlab plugin. Another option is to set ssh private key on Jenkins server to athenticate against Gitlab repo. Is this option possible?
Jenkins Gitlab plugin is not officially supported and not well maintained because Gitlab wants customers to user their own CI/CD solution in order to tie customers to their platform for marketing reasons.

A relatively safe way to handle this situation is to store your credentials is the credentials system in Jenkins (that way you do not have to include the credentials in the JenkinsFile), and using a deploy token (available for Gitlab 10.7 and later) for the relevant repository. That token allows you to provide read-only rights to the repository.
Step 1 - setup the deploy token in GitLab
From the GitLab documentation
You can create as many deploy tokens as you like from the settings of your project:
Log in to your GitLab account.
Go to the project you want to create Deploy Tokens for.
Go to Settings > Repository.
Click on “Expand” on Deploy Tokens section.
Choose a name and optionally an expiry date for the token.
Choose the desired scopes.
Click on Create deploy token.
Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
Step 2 - Saving the deploy token in Jenkins' credentials system
Since the deploy tokens have a username and password, pick that as the type in the steps below. Write down the id you will use in this step (see below) as you will need it in your pipeline declaration.
From the Jenkins documentation
To add new global credentials to your Jenkins instance:
If required, ensure you are logged in to Jenkins (as a user with the Credentials > Create permission).
From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Credentials > System on the left.
Under System, click the Global credentials (unrestricted) link to access this default domain.
Click Add Credentials on the left. Note: If there are no credentials in this default domain, you could also click the add some credentials link (which is the same as clicking the Add Credentials link).
From the Kind field, choose the type of credentials to add.
From the Scope field, choose either:
Global - if the credential/s to be added is/are for a Pipeline project/item. Choosing this option applies the scope of the credential/s to the Pipeline project/item "object" and all its descendent objects.
System - if the credential/s to be added is/are for the Jenkins instance itself to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential/s to a single object only.
Add the credentials themselves into the appropriate fields for your chosen credential type:
(...)
Username and password - specify the credential’s Username and Password in their respective fields.
(...)
In the ID field, specify a meaningful credential ID value - for example, jenkins-user-for-xyz-artifact-repository. You can use upper- or lower-case letters for the credential ID, as well as any valid separator character. However, for the benefit of all users on your Jenkins instance, it is best to use a single and consistent convention for specifying credential IDs. Note: This field is optional. If you do not specify its value, Jenkins assigns a globally unique ID (GUID) value for the credential ID. Bear in mind that once a credential ID is set, it can no longer be changed.
Specify an optional Description for the credential/s.
Click OK to save the credentials.
Step 3 - Use the credentials in your pipeline declaration
You can use the credentials in your jenkinsFile like so:
pipeline {
stages {
stage('Clone stage') {
steps {
git url: 'https://gitlab.com/[username]/[my-repo].git', branch: 'master', credentialsId: 'my-gitlab-repo-creds'
}
}
}
}
In the above example I assume you picked the id my-gitlab-repo-creds in step 2.

global tool configurations in jenkins through cli?

Is there a way to add global tool configurations for artifactory and aws in jenkins through cli?
I'm trying to write chef cookbook for automating creation of Jenkins job, but I don't know how to add credentials for tools.

Credentials don't depend on the tools which will use them.
You can register credentials in general through the JENKINS Credentials Plugin API: see for instance
How to create jenkins credentials via the REST API? (similar to jenkins_api_client issue 162)
update Jenkins credentials by script
You can then use those credentials in association with a Jenkins Job.

Your question is twofold.
Credentials
The Jenkins chef cookbook offers a jenkins_credentials resource, which allows you to pipe credentials (using Jenkins API internally) into your Jenkins instance.
Global Tool Configuration
You can use the jenkins_script resource of the same cookbook to execute any Groovy script. This allows you to configure your Jenkins instance. You now just have to figure out exactly, what the code is to, e.g., select the previously defined credentials. But the code looks similarly to the example given in the cookbook's README.

How to handle TFS password on multiple Jenkins jobs?

I have set up a few Jenkins jobs which are using TFS. For each one I had to manually input TFS username and password inside the TFS plugin.
Is there a way to change password in all jobs using some king of global setting? Or do I have to manually change password on all jobs when I change my password.
Any help would be appreciated.
Thanks,
Daniel

Get latest TFS (5.0.0) and Credentials (2.1.4) plugins.
Add domain and credentials usable to connect to your TFS server via Jenkins > Configure Credentials.
Now select just added domain, click "Configure", and add your TFS server hostname (or proper wildcard) under Hostname > Include, so jenkins will know where provided credentials can be used.
Now, you can just leave user/password fields empty in job's TFS SCM configuration.
Instructions are mostly taken from TFS plugin GitHub page
Even though TFS Plugin bug Allow use of credentials from Credentials Plugin isn't resolved, all is working fine.

The TFS Plugin for Jenkins does not read the global credentials. You need to enter the username and password for each job manually.

In the Jenkins admin you can add "global" credentials. For this, as a Jenkins admin, go in :
Manage Jenkins > Manage Credentials > Add Credentials > Username with password and save it.
These credentials will be available in all the jobs configuration of this Jenkins instance.
If you don't the the Manage Credentials item, you'll maybe need to install the Jenkins Credentials Plugin