How to export credentials from one jenkins instance to another?

Question

I am using the credentials plugin in Jenkins to manage credentials for git and database access for my team's builds. I would like to copy the credentials from one jenkins instance to another, independent jenkins instance. How would I go about doing this?

score 30 · Accepted Answer · edited Aug 05 '19 at 08:54

UPDATE: TL;DR Follow the link provided below in a comment by Filip Stachowiak it is the easiest way to do it. In case it doesn't work for you go on reading.

Copying the $HUDSON_HOME/credentials.xml is not the solution because Jenkins encrypts paswords and these can't be decrypted by another instance unless both share a common key.

So, either you use the same encription keys in both Jenkins instances (Where's the encryption key stored in Jenkins? ) or what you can do is:

Create the same user/password, you need to share, in the 2nd Jenkins instance so that a valid password is generated

What is really important is that user ids in both credentials.xml are the same. For that (see the credentials.xml example below) for user: Jenkins the identifier <id>c4855f57-5107-4b69-97fd-298e56a9977d</id> must be the same in both credentials.xml

<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.22">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>                
        <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          <scope>GLOBAL</scope>
          <id>c4855f57-5107-4b69-97fd-298e56a9977d</id>
          <description>Para SVN</description>
          <username>jenkins</username>
          <password>J1ztA2vSXHbm60k5PjLl5jg70ZooSFKF+kRAo08UVts=    
          </password>                        
        </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

Where does Jenkins store the encryption key? I've been suffering through this for quite some time! :( Every time I migrate Jenkins, I'd have to re-enter all the credentials! — Fadi, Jul 19 '16 at 17:45
Would this work if migrating to a Jenkins server that already has credentials? e.g in the case where one needs to consolidate Jenkins servers. — Traiano Welcome, Apr 21 '19 at 14:17
@TraianoWelcome IMO when consolidating servers although you still can migrate the credentials from an existing Jenkins you will have to reenter the secrets encripted with the previous credentials. — Pedro, Apr 23 '19 at 07:47
@Pedro - I've just found that to be true. I've extracted the secrets from the credentials vault and simply exported them using the jenkins-cli. — Traiano Welcome, Apr 23 '19 at 11:22

score 4 · Answer 2 · answered Feb 26 '18 at 05:19

4

I was also facing the same problem. What worked for me is I copied the credentials.xml, config.xml and the secrets folder from existing jenkins to the new instance. After the restart of jenkins things worked fine.

answered Feb 26 '18 at 05:19

MS_22

97
1
6

@FilipStachowiak link is broken. – coding_idiot Aug 23 '18 at 21:16
5

Check out this [link](https://itsecureadmin.com/2018/03/jenkins-migrating-credentials/). – Filip Stachowiak Aug 24 '18 at 07:25

score 2 · Answer 3 · answered Mar 20 '18 at 19:01

This is what worked for me.

Create a job in Jenkins that takes the credentials and writes them to output. If Jenkins replaces the password in the output with ****, just obfuscate it first (add a space between each character, reverse the characters, base64 encode it, etc.)

I used a Powershell job to base64 encode it:

[convert]::ToBase64String([text.encoding]::Default.GetBytes($mysecret))

And then used Powershell to convert the base64 string back to a regular string:

[text.encoding]::Default.GetString([convert]::FromBase64String("bXlzZWNyZXQ="))

score 2 · Answer 4 · answered Oct 16 '20 at 13:09

After trying quite a few things for several days this is the best solution I found for migrating my secrets from a Jenkins 2.176 to a new clean Jenkins 2.249.1 jenkins-cli was the best approach for me.

The process is quite simple just dump the credentials from the old instance to a local machine, or Docker pod with java installed, as a XML file (unencrypted) and then uploaded to the new instance.

Before starting you should verify the following:

Access to the credentials section on both Jenkins instances
Download the jenkins-ccli.jar from one of the instances (https://www.your-jenkins-url.com/cli/)
Have User and Password/Token at hand.

Notice: In case your jenkins uses an oAuth service you will need to create a token for your user. Once logged into jenkins at the top right if you click your profile you can verify both username and generate password.

Now for the special sauce, you have to execute both parts from the same machine/pod:

Notice: If your instances are using valid Certificates and you want to secure your connection you must remove the -noCertificateCheck flag from both commands.

# OLD JENKINS DUMP #

export USER=madox@example.com
export TOKEN=f561banana6ead83b587a4a8799c12c307
export SERVER=https://old-jenkins-url.com/

java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN list-credentials-as-xml "system::system::jenkins" > /tmp/jenkins_credentials.xml

# NEW JENKINS IMPORT #

export USER=admin
export TOKEN=admin
export SERVER=https://new-jenkins-url.com/

java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN import-credentials-as-xml "system::system::jenkins" < /tmp/jenkins_credentials.xml

i recommend this option since its working for jenkins to cludbees migration and it helps to keeping existing cloudbees cred also.If we go other methods then we have to combine both creds if we have cloudbees creds or we have to recreate that after copy and replace in folder — JPNagarajan, Aug 13 '21 at 06:51
With Jenkins 2.176.1 this leaves me with `` in the exported file. — Richard Kiefer, Aug 23 '21 at 09:39
for the `` error could it be related to the secrets structure is different from the typical `system::system::jenkins` ? — Madox, Aug 26 '21 at 15:16

Richard Kiefer · Answer 5 · 2021-08-26T17:52:10.357

If you have the credentials.xml available and the old Jenkins instance still running, there is a way to decrypt individual credentials so you can enter them in the new Jenkins instance via the UI. The approach is described over at the DevOps stackexchange by kenorb.

This does not convert all the credentials for an easy, automated migration, but helps when you have only few credentials to migrate (manually).

To summarize, you visit the /script page over at the old Jenkins instance, and use the encrypted credential from the credentials.xml file in the following line:

println(hudson.util.Secret.decrypt("{EncryptedCredentialFromCredentialsXml=}"))

this works for and , but not – andrew lorien May 05 '22 at 06:59 — andrew lorien, May 05 '22 at 06:59

score 0 · Answer 6 · answered Jul 27 '22 at 17:40

To migrate all credentials to a new server, from Jenkins: Migrating credentials:

Stop Jenkins on new server.
```
new-server # /etc/init.d/jenkins stop
```
Remove the identity.key.enc file on new server:
```
new-server # rm identity.key.enc
```

Copy secret* and credentials.xml to new server.

current-server # cd /var/lib/jenkins
current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml
current-server # scp credentials.tgz $user@$new-server:/tmp/

new-server # cd /var/lib/jenkins
new-server # tar xzvf /tmp/credentials.tgz -C ./

Start Jenkins.
```
new-server # /etc/init.d/jenkins start
```

score -1 · Answer 7 · edited Nov 11 '21 at 12:38

Migrating users from a Jenkins instance to another Jenkins on a new server - I tried following https://stackoverflow.com/a/35603191 which lead to https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials/. However I did not succeed in following these steps. Further, I experimented exporting /var/lib/jenkins/users (or {JENKINS_HOME}/users) directory to the new instance on new server. After restarting the Jenkins on new server - it looks like all the user credentials are available on new server. Additionally, I cross-checked if the users can log in to the new Jenkins instance. It works for now.

PS: This code is for redhat servers

Old server:

cd /var/lib/jeknins

or cd into wherever your Jenkins home is

tar cvzf users.tgz ./users

New server:

cd /var/lib/jeknins 
scp <user>@<oldserver>:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/.
sudo tar xvzf users.tgz
systemctl restart jenkins

score -2 · Answer 8 · answered Jun 08 '15 at 09:07

-2

Did you try to copy the $JENKINS_HOME/users folder and the $JENKINS_HOME/credentials.xml file to the other Jenkins instance?

answered Jun 08 '15 at 09:07

Bruno Lavit

10,184
2
32
38

I'm using ldap authentication for the server itself, but these credentials are for git and database access. Where are they stored? in the plugins folder? – sakurashinken Jun 08 '15 at 17:59
If you create global credentials (in the Jenkins admin section), they are in the credentials.xml file. – Bruno Lavit Jun 08 '15 at 19:05
7

Did you find that the credentials.xml file was portable? My experience has shown that usernames/passwords are hashed and that the file from one machine is not recognized by the new machine with the copied file. – pcrews Sep 11 '15 at 02:57
Usually on windows, the default installation is on C:\Program Files (x86)\Jenkins (==$JENKINS_HOME) – Shai Alon Nov 03 '19 at 09:06

How to export credentials from one jenkins instance to another?

8 Answers8

# OLD JENKINS DUMP #

# NEW JENKINS IMPORT #

Linked