How to mask a password field in Jenkins Pipeline project?

Question

When a password property is defined in a Jenkinsfile:

properties([
    parameters([
        password(name: 'KEY', description: 'Encryption key')
    ])
])

Jenkins prompts users to provide its value every time the pipeline is executed:

I want this parameter to be masked so that echo ${KEY} does not print the actual value passed by the user. However, at the moment echoing it prints the provided value verbatim:

properties([
    parameters([
        password(name: 'KEY', description: 'Encryption key')
    ])
])

node {
    stage('Stage 1') {
        # Will print the actual value of the KEY, verbatim
        sh "echo ${KEY}"
    }
}

Also it seems that the Mask Passwords plugin does not work with Jenkins pipelines, so using that is not an option.

Is there a way to mask these password-typed parameters in the build logs?

Answer 1

You'll want to use the mask passwords plugin. Here's a Jenkinsfile example taken from my shared pipeline library.

properties([
    parameters([
        password(name: 'KEY', description: 'Encryption key')
    ])  
])  

node {
    stage('Stage 1') {
       // Will print the masked value of the KEY, replaced with ****
       wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'KEY', password: KEY]], varMaskRegexes: []]) {
            sh "echo ${KEY}"
        }   
    }   
}

Other than existing suggestions on withCredentials, there's not much to add. However, of you're automatically generating your jobs via templates and you're setting a default password, then you might want to make use of hudson.util.Secret to secure your templates.