Injecting Secrets into Jenkins Builds Using the Credentials Plugin

We commonly see questions on our Jenkins Support channels asking for advice about how to inject secrets and credentials into build jobs. While there are various approaches to defining and injecting build secrets (including BuildSecret, files on disk and EnvInject), the most simple (and powerful) approach these days is to combine the Credentials and Credentials Binding plugins.

Credentials plugins:

  • Credentials plugin - Enhances Jenkins with a centralized credentials storage facility. These credentials can then be consumed by Jenkins and Jenkins plugins.
  • Credentials Binding plugin - Enhances the build job Configuration page with options to create bindings that inject credentials as environment variables that can be used by build job.Together, these plugins provide Jenkins users with a way to define credentials/secrets and then inject them as environment variables for build jobs to use. In addition to basic handling of build job credentials, these plugins can be used in combination with Enterprise plugins to tightly control which builds and users have access to these credentials.

Complementary plugins:

  • Folders plugin - Allows build jobs to be organized into Folders. Since the Credentials plugin is “folder aware”, credentials can be attached to folders so that they are only accessible to builds inside the folder.
  • Role-based Access Control (RBAC) plugin - [available via Jenkins Enterprise by CloudBees or DEV@cloud] gives Jenkins administrators the ability to define security roles and assign roles to groups of users. By combining RBAC with Folders and Credentials plugins, administrators can control which builds have access to credentials and which users have access to builds that use the credentials.

Read more…

If you aren’t familiar with these plugins, be sure to check out the How to Inject Secrets into Jenkins Builds guide on the CloudBees developers wiki for a more detailed explanation.

Spike Washburn
VP Engineering
CloudBees

Comments

The Credentials plugin can also do files (ie upload attachments) and text - and then make them available to builds via binding - so it really covers all bases.

Add new comment