How do I download a jenkins secret file from the credential store?

Question

I can only upload an existing jenkins secret file not download the existing one.

How do I download an existing secret file I uploaded to confirm its contents?

Answer 1

In case you can access your Jenkins instance's Script Console (e.g. by visiting https://jenkins.example.com/script in a browser), you can run the following script:

import com.cloudbees.plugins.credentials.*;
import com.cloudbees.plugins.credentials.domains.Domain;
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl;

println "Jenkins credentials config file location=" + SystemCredentialsProvider.getConfigFile();
println ""

def fileName = "my-secret-file.txt"

SystemCredentialsProvider.getInstance().getCredentials().stream().
  filter { cred -> cred instanceof FileCredentialsImpl }.
  map { fileCred -> (FileCredentialsImpl) fileCred }.
  filter { fileCred -> fileName.equals( fileCred.getFileName() ) }.
  forEach { fileCred -> 
    String s = new String( fileCred.getSecretBytes().getPlainData() )
    println "XXXXXX BEGIN a secret file with fileName=" + fileName + " XXXXXXXXXXXX"
    println s
    println "XXXXXX END a secret file with fileName=" + fileName + " XXXXXXXXXXXX"
    println ""
  }

Change fileName to the file name you would like to print out. This script will print out the contents of files in Jenkins credentials store's global domain that have fileName as file name.

Fixable caveats of this script:

• Requires that Jenkins is running in a Java 8 JVM. This script.
• Looks in the global credential domain only (see https://javadoc.jenkins.io/plugin/credentials/com/cloudbees/plugins/credentials/SystemCredentialsProvider.html#getCredentials-- ).

Answer 2

If you have shell access to and sudo/root/Jenkins Unix user permissions on the machine running Jenkins, you can retrieve the secret file by doing the following:

• In some Jenkins job that has permissions to access the secret file, select Configure.
• On the Configuration interface, under Build Environment, select Use secret text(s) or file(s).
• Click Add -> Secret file. This creates a new Secret file binding.
• Select Specific credentials, then from the drop-down menu below it select the secret file you would like to retrieve. Let's assume your secret file is stored under the filename my-secret-file.txt.
• Assign to this secret file a variable e.g. MY_SECRET_FILE_TXT.
• Now, under Pre Steps, click Add pre-build step -> Execute shell.

• In the Command text area, add the following shell script:

  echo "executing user is $(whoami)"
  
  # remove my-secret-file.txt before possibly getting an overwriting error
  rm -f $WORKSPACE/my-secret-file.txt
  
  echo "Jenkins project workspace: $WORKSPACE"
  cp $MY_SECRET_FILE_TXT $WORKSPACE
  

• Click Save to save this configuration.

The next time a build is triggered for this project, the secret file should appear in this project's workspace, i.e. at location $WORKSPACE/my-secret-file.txt. As an example, on my Ubuntu 14.04.5 LTS installation with installed package and daemonjenkins, that location is /var/lib/jenkins/workspace/$JENKINS_PROJECT_NAME/my-secret-file.txt

Answer 3

I usually extract secrets from jenkins by creating a job like this:

Jenkins masks all the keys in the output, so just replace one character when you print it out. If it turns out there is another 0 in your key, it'll appear as ******* and you can try replacing a different character, or splitting it in two and printing the two halfs on different lines, or another similar trick.

You can also just stick it straight into a file like this.

echo $HELLO > slack-key.txt

Answer 4

The marked answer with the script console is great.

There is also this script that will list ALL secrets that can be run from the console too: https://github.com/tkrzeminski/jenkins-groovy-scripts/blob/master/show-all-credentials.groovy