How to start Jenkins build remotely with cloudbees authentication enabled?
Please let me know the command to start it from a script or throw commang like wget/curl
You can POST to https://accountname.ci.cloudbees.com/job/jobname/build passing your CloudBees username (typically an email address) and Jenkins API token (see /me/configure) for BASIC authentication.
But if you would rather not keep your full credentials in a script, you can pick an arbitrary token and configure that in the job definition, in which case POSTing to build?token=… without authentication will schedule a build. In the usual case that your Jenkins instance is not visible to anonymous users, this will not work (since the whole URL space is blocked), in which case the Build Token Root plugin may be used to accomplish the same thing.
Related
I am using the Azure Devops CLI on one of my pipelines. In order to use the CLI I need first login (authenticate). Unlike using the REST API, I can't use the OAuth token that is available to me.
So here's my understanding of my options:
I can do an "az login" using a PAT that I map to this environment variable:
AZURE_DEVOPS_EXT_PAT
THIS IS THE WAY I'm doing it now.
Apparently you can use a Service Principal. I like this the most because I should theoretically be able to have this principal apply to everyone on my team. Is that correct?
Use "az login" with a user/password. This is least desirable way to doing it because it involves passing around credentials. Too messy.
Although my pipeline has the OAuth token expost (System.AccessToken), it cannot be use by the CLI. For example is I try to assign the value of the OAuth token to the AZURE_DEVOPS_EXT_PAT it fails (AZURE_DEVOPS_EXT_PAT=$System.AccessToken).
Questions:
Is it possible to use the OAuth token to log in to the CLI?
Is the Service Principal the best way to go?
Additional Info:
I do not have subscriptions only a tenant-id, we're not creating any Azure resources, we're an AWS shop that happens to be using ADO only for CICD.
Use az devops login instead of az login
From your pipeline use:
- script: echo $(AccessToken) | az devops login
env:
AccessToken: $(System.AccessToken)
Few interesting notes:
Secrets (like System.AccessToken) are available to scripts unless you pass them in explicitly as environment variables
the System.AccessToken variable is the default access token of the build agent
there is a project-specific build agent and a project-collection build agent. The one you use is actually controlled by the 'limit access to current project scope' flag in the Pipeline settings for the project.
you may need to elevate permissions for the build agent if you're trying to manipulate objects. For example, you could grant the Create Tag permission on a repository if you wanted the build agent to update the repository.
you can also create your own PAT token with permissions that you specify.
How i can setup my Jenkins that can be used in different machines? i want a jenkin to be setup and any one can hit the URL with IP and login with valid credentials.
The main aim is not to configure jenkins on every colleagues system and they can access my jenkins just through an URL.
You can install one instance of Jenkins in a dedicated server, tune it, secure it and create the Jobs. After it you can share the IP/Host and the user & password to your colleagues and they can access to Jenkins.
I recommend you to check the installation manual: https://jenkins.io/doc/book/installing/
My company is using Jenkins for their CI and so far we've only been using it for our web apps, but now we're getting to the windows service apps we use and I'm looking for some guidance on this.
Currently we have a batch script that shuts down the service then do an Hg update and then turns the service back on.
I need Jenkins to run it as admin so that windows will allow the script to toggle the services.
My question is, how hard is it for Jenkins to run something with elevated privileges?
With PsService you can execute a remote command (start/stop/restart) and provide a username and a password for elevated access.
Once you manage to do this all you need to do is to "write that line" in jenkins. Meaning that if you use pipeline you'll do it with credentials binding. Of course you need to create jenkins credentials with the aforementioned username and password.
I have instances of Jenkins and GitLab which are successfully connected. Part of setting up the GitLab plug-in involves providing an API token. I believe this is used by the plug-in to get details of the commit which is triggering a job.
I need to run a daily Jenkins job which collects some statistics using the API and then (using R) generates a report. So this is not triggered by an event in GitLab.
To complicate issues a little further, the R code will run inside a container (to avoid hving to install R and all the packages on every Jenkins slave),
It does not appear that the plug-in makes the token available to be used in jobs ... and I can see a sane reason for that.
Is it possible to access the API token from the plug-in?
There is a plugin which supports credential injecting (https://wiki.jenkins.io/display/JENKINS/Credentials+Binding+Plugin) to the builds which could be used later as an environment variable. Gitlab api token could be also selected.
I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user credential. The reason is, we have separate Support Team Members, who have access to the production boxes and not the Dev team members. So, in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. So that even the Dev team members who don't have access to the Production box but are Jenkins Admin, execute the same job should result in failure due to "Access Denied". The job should succeed only if its been run by Support Team members with their credential.
I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions. Even the Jenkins console log displays the parameter passed in its console output, which is a security issue.
I checked Role based security plugin, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.
Right now all the Jenkins Jobs are getting executed using the service account which the Tomcat service is configured to run with on which Jenkins is hosted.
Any help would be appreciated.
Just in case there is any confusion a Jenkins job will always run as the same OS user. The Matrix based security applies to users who log into the Jenkins server and controls features like creating or launching jobs.
You could configure the job to use a set of generic production credentials and then prevent your developers from invoking the job.
Perhaps a better approach would be to separate the process that builds the code from the one that deploys the code. The following diagram (Taken from the xebia-france project) demonstrates how some of my favourite tools Rundeck and Nexus can be integrated with Jenkins.
Finally, I highly recommend reading the following link:
Using Rundeck and Chef to build devops tool chains
Hi I know I'm coming late on this thread, but I just fell on this issue and had a hard time solving it, so I thought I might just share what I managed to set-up.
First things first: if you want to run a Jenkins job "as a specific user" (with all the correct habilitations) the easiest way is to run a Jenkins SLAVE as this user.
Then you might very well stumble into the following: you probably want to run serveral slaves on the same windows machine as windows services. This is very fine, as long as each slave has his own Remote root directory and probably have a specific "label" too.
Once you managed to run your slave as a windows service, launch the service console (run services.msc). Edit the newly created service properties, go to Log On tab. Select "Log on as: This account" and enter your account credentials.
Cheers :)
You can utilize the built in windows runas or Powershell InvokeCommand cmdlet and -Credential to run - Both these would store the username/password in plain text - So do think about the risks, but this gives you flexibility.
I'm surprised this doesn't have a better answer of set an agent on another machine to run as another service and define agent as a special "type" which picks up the jobs - Something along those lines is what I would expect but I haven't seen an implementation like that in Jenkins (I'm new to Jenkins so was looking for an answer and found this thread).
Something else that could be considered for someone more familiar with Jenkins is when you set the custom path to MSBuild could you set that to runas /user:... msbuild.exe perhaps? I don't have an extra Jenkins server currently to try that on.