How to use `inject-passwords` in Jenkins job Builder?

Question

I am using a yaml file to configure a jenkins job, and I came across the feature inject-passwords (see here). However, this documentation neither describes on how to use the variable within the jenkins environment, nor what 'encrypted' password means (How to encrypt?). The link leading to the EnvInjectPlugin also does not have the required information.

Where can I find useful information/documentation? And why is this documentation so incomplete?

Context:

I want to inject passwords in a safe way into a jenkins job. In this jenkins job I want to use this password as a password to log in to an online service in order to test several aspects of that service. I need the test script to get that password (environment variable?) to be able to log in to a service.

Open questions not answered in the referenced documentation:

• Where is the information that the Name of password (here) is the environment variable name?
• Where is the information in how to encrypt the password: password (str) Encrypted password (see here)

Answer 1

The documentation for the password injection is not useable. Therefore I provide a complete example here.

First, you ned to get the encryped password.

1. Go to the configuration part of a Jenkins Job that can be safely modified. For example the one you are currently trying to setup.
2. In the "Build Environment" section, click on the "Inject passwords to the build as environment variables".
3. Write your plain password with a dummy variable name and save the configuration. This step will encrypt the password behind the hood.
4. Go to the "Job Config History" tab of the Job and look at the latest RAW XML configuration file. You will find in the XML your encrypted password that can be copied for the next step.

Second step, you need to put the password in the yaml file as follows:

wrappers:
     - inject-passwords:
        global: true
        mask-password-params: true
        job-passwords:
            - name: TEST_USER_PASSWORD
              password: '{AQAAABAAAAAQvsFFVkOmzr5WzEhX8OWuK7mizr5xzEhX8lGo2AGMVw8=}'
            - name: TEST_USER_PASSWORD2
              password: '{AQAAABAAAAAQvsFFVkOmzr5xzEhX8lGo2AcPGMVw8b8SflGo2AcPGMVw8=}'

Note: The password are in quotes AND in curly brackets.

Third step: In jenkins you can use the environment variables TEST_USER_PASSWORD and TEST_USER_PASSWORD2. These variables will contain the decrypted password, but when you print them out, jenkins will notice there is a password in the log, which jenkins will obfuscate.

Example:

Actual output

My password is jddfdjh44y98dyghsdgdgfdg

Jenkins log output

My password is [********]

You can print the content of the variable step-by-step to get the password (to check that it works).

Answer 2

In the documentation the author explains that the plugin "Inject passwords to the build as environment variables" and therefore, as pointed by Alexandre Cartapanis, are accessible as environment variables by their name ($password_name). This information is spreaded in two sites: in the YAML documentation they say that "Inject passwords to the build as environment variables. Requires the Jenkins EnvInject Plugin", the EnvInject Plugin page states that "Shared Objects plugin contributes to Envinject plugin that enables you to populate shared objects as environment variables". In this post you may find an example of attempting to access the variable by its name - which is available only in build time.

When stored, Jenkins makes sure passwords are encrypted. As long as I understand, will be decrypted just for the purpose of being passed as variable where required for the job - as would be done with any credential.

Some additional information regarding how EnvInject plugin works is provided on links to other related plugins, such as Shared Objects plugin

As long as you just use the password as environment variable and do not log its value, is safe to use it that way. Same approach or by refering to password's ID is used ex.: in Jenkins pipeline to access SCM credentials.