26

My Jenkins box needs to access Stash and Jira through their REST apis. For that I need to store their credentials.

The way I am doing is via the Credentials Parameter, which asks me for a Name, Credential type, Required, Default Value, and a Description.

I define a Name as CREDENTIAL_PARAMETER, in the type I set it as "Username with password", and then I pick one credential from the list in the Default Value.

Next in the Build section I define that a shell should be executed, which is something like

echo $CREDENTIAL_PARAMETER

I was expecting to get something like "username:password" as the CREDENTIAL_PARAMETER. However, I get a hash that I think is how the username and password can be retrieved.

How can I get the credentials based on the hash using bash?

Alexandre Santos
  • 8,170
  • 10
  • 42
  • 64
  • did you find a solution for this? Experiencing the same thing, and wondering if an answer below helped or if you went a different route? – fuzzi Mar 13 '19 at 19:12

2 Answers2

27

Just as a note to myself, and hopefully this will help others I'm going to go a bit more in depth than @Alexandre Santos, though his answer is extremely helpful.

The important thing to note is that there is a difference between the Credentials Parameter and the Credentials Binding.

If you are using a parameterized build, you can add a Credentials Parameter that references a credentials binding. When you run the build you'll notice that there is an environment variable that correlates to a credential's GUID in your credential store.

For this to actually be useful you have to inject a "Credentials Binding" into your environment.

Head to the Build Environment section of your job definition. Check Use secret text(s) or file(s). This will actually inject the secret into your build environment. The "Credentials Parameter" created earlier can be used here to let you select different credentials parameters.

For files it will drop the file somewhere in the workspace(?), and then inject a secret environment variable with the full path to the file.

This blog from Cloudbees should help with the rest.

Breedly
  • 12,838
  • 13
  • 59
  • 83
  • 1
    Thanks, @Breedly. I spent a significant amount of time looking into "how to use jenkins credentials" in the Execute Shell area. You're reply solved my issue! – Nate H May 22 '17 at 20:38
18

It is possible, but the plugin https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Binding+Plugin needs to be installed. Without it, all you get is a hash to where the credentials can be found.

Once you have the credentials, Jenkins will place them as session environments, which can be retrieved..

Note that the credentials are available only when "Use secret text(s) or file(s)" is enabled in the "Build Environment" section.

Once all is defined, the username and password can be passed either as two different fields or as only one field separated by ":"

Alexandre Santos
  • 8,170
  • 10
  • 42
  • 64
  • 1
    Be sure to read the sentence beginning with *note*. I wasted quite a bit of time because I didn't read that. – Breedly May 03 '17 at 15:08
  • 1
    When using Parameter expression in the Binding, make sure **not to use same name** for the Binding variable and the Credential parameter, otherwise the value would remain as the Credential ID. For example, with secret file, the build may fail on `No such file or directory`. – Noam Manos May 27 '20 at 08:08