0

I have Jenkins server which builds project, build docker image and push it to Google Container Registry.

I am using service account to login to GCR using command docker login -u _json_key -p "$(cat ${service-account.json})" https://gcr.io as stated here

When this line is executed, content of service-account.json file is printed on console in Jenkins pipeline.

How would I stop credential being printed on console?

Nirav
  • 602
  • 1
  • 10
  • 28

2 Answers2

2

The trick is to use the --password-stdin flag.

cat ${service-account.json} | docker login -u _json_key --password-stdin https://gcr.io

Provide a password using STDIN. To run the docker login command non-interactively, you can set the --password-stdin flag to provide a password through STDIN. Using STDIN prevents the password from ending up in the shell’s history, or log-files.

See https://docs.docker.com/engine/reference/commandline/login/

Note: The password file should only include the password, and should not be json encoded.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
0

If you store the JSON Key File and the username associated with it as a credential in Jenkins, you can then reference the key file inside of a withCredentials step (https://jenkins.io/doc/pipeline/steps/credentials-binding/)

Any credentials used inside of a withCredentials step will be masked automatically

gavsyuk
  • 306
  • 1
  • 3
  • Thanks for the reply. I tried using following. I stored credential in file. ``` withCredentials([file(credentialsId: 'cred', variable: 'KEY')]) { container('docker') { sh "docker login -u _json_key -p ${KEY} https://gcr.io" } } ``` I am getting error: Error response from daemon: Get https://gcr.io/v2/: unknown: Unable to parse json key. – Nirav May 29 '19 at 13:43