Menu
I'm trying to mask a password in my Jenkins build.
I have been trying the mask-passwords plugin.
However, this doesn't seem to work with my Jenkins pipeline script, because if I define the password PASSWD1 and then I use it in the script like this ${PASSWD1}, I am getting:
No such DSL method '$' found among steps [addToClasspath, ansiColor, ansiblePlaybook, ....] If I use env.PASSWD1, then its value will be resolved to null.
So how should I mask a password in a Jenkins pipeline script?
976
Installing the Mask Password PluginFirst install the Jenkins Mask Passwords plugin. Navigate to manage Jenkins and click Manage Plugins. Search for Mask Passwords. Select the plugin then click “Download now and install after restart”.
You need to activate it in the "Configure System" and also in the job you want to use this. In the job configuration is a point "Mask passwords" which must be activated and then will use the global config to mask passwords.
Just create the folder, enter the folder, then select the "Credentials" link on the sidebar. A new link should appear called "Folder" click that and then define your credentials. Jobs in other folders will not be able to use those. Correct answer.
The simplest way would be to use the Credentials Plugin.
There you can define different types of credential, whether it's a single password ("secret text"), or a file, or a username/password combination. Plus other plugins can contribute other types of credentials.
When you create a credential (via the Credentials link on the main Jenkins page), make sure you set an "ID". In the example below, I've called it my-pass. If you don't set it, it will still work, Jenkins will allocate an opaque UUID for you instead.
In any case, you can easily generate the required syntax with the snippet generator.
withCredentials([string(credentialsId: 'my-pass', variable: 'PW1')]) { echo "My password is '${PW1}'!" } This will make the password available in the given variable only within this block. If you attempt to print the password, like I do here, it will be masked.
88
Looking at this issue, https://issues.jenkins-ci.org/browse/JENKINS-27392, you should be able to do the following:
node { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: '123ADS', var: 'SECRET']]]) { echo env['SECRET']; } } However, if you look at the last comments in that issue it doesn't work, seems like a bug. However, if you know the secret and accidentally print int in the logs, the it is hidden, like this:
node { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: '123ADS', var: 'SECRET']]]) { echo "123ADS"; } } This produces:
[Pipeline] node Running on master in workspace/pl [Pipeline] { [Pipeline] wrap [Pipeline] { [Pipeline] echo ******** [Pipeline] } [Pipeline] // wrap [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS Regarding the error you are getting, No such DSL method '$' found among steps ..., I'm just guessing but you are probably using ${VAR} directly in the pipeline script, ${...} is only relevant inside strings in groovy.
EDIT: Or you can use the Credentails Plugin and pipeline step withCredentials:
// Credential d389273c-03a0-45af-a847-166092b77bda is set to a string secret in Jenkins config. node { withCredentials([string(credentialsId: 'd389273c-03a0-45af-a847-166092b77bda', variable: 'SECRET')]) { bat """ if ["${SECRET}"] == ["123ASD"] echo "Equal!" """; } } This results in:
[Pipeline] node Running on master in workspace/pl [Pipeline] { [Pipeline] withCredentials [Pipeline] { [Pipeline] bat [pl] Running batch script workspace/pl>if ["****"] == ["****"] echo "Equal!" "Equal!" [Pipeline] } [Pipeline] // withCredentials [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS Note that this plugin binds the variable directly to the closure and not the environment as the other, e.g. I can use the variable SECRET directly.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
