Workflow Integration for Credentials Binding Plugin

Written by: jglick

Workflow steps that do something specific, like check out SCM sources, will often have a way to specify a credentialsId to pass in secret credentials appropriate to that task. However there was an unmet need to manage secrets using the Jenkins web UI (the usual Credentials link) but access them from a freeform sh or bat build step, where the secret (such as a server password) is used in the middle of a system shell script.

For freestyle projects this was handled with the Credentials Binding plugin , in some cases also with the help of the Plain Credentials plugin . I have just released an update to Credentials Binding that adds a new Workflow step, withCredentials , offering similar functionality. For example:

node {
  withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'mylogin',
                    usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
    sh '''
      set +x
      curl -u $USERNAME:$PASSWORD https://private.server/ > output

As usual, you can use the Snippet Generator to get a hint about the syntax to use. But to make this comfortable to write by hand, and easier to read the result, it is also desirable to have short, memorable credentialsId s, rather than the random UUIDs you usually get. For this reason I also enhanced the Credentials plugin and Plain Credentials plugins to let you pick an ID when you create credentials. (A similar change in the SSH Credentials plugin is currently awaiting release, though there is not currently any way to access an SSH private key using Credentials Binding anyway; use a Secret File from Plain Credentials in the meantime.)

As with the freestyle build wrapper, if you bind an environment variable to a secret file, it will get deleted from your agent’s disk at the end of the step. Because withCredentials is built for Workflow, this happens even if Jenkins is restarted in the middle of the block.

Jesse Glick

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.