Jenkins Credentials Store Access via Groovy

The official solution n the jenkins wiki

Printing a list of all the credentials in the system and their IDs.

def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
        com.cloudbees.plugins.credentials.Credentials.class,
        Jenkins.instance,
        null,
        null
);
for (c in creds) {
    println(c.id + ": " + c.description)
}

If you just want to retrieve the credentials for a given credentials ID, the simplest way is to use the withCredentials pipeline step to bind credentials to variables.

withCredentials([usernamePassword( credentialsId: 'myCredentials', 
                     usernameVariable: 'MYUSER', passwordVariable: 'MYPWD' )]) { 
    echo "User: $MYUSER, Pwd: $MYPWD" 
}

One liner to get the value of a credential

Assuming...

def CREDENTIAL_ID = "<key_credential_id"

One liner to get a private key credential:

See ssh credentials implementations for methods to extract values

def PRIVATE_KEY = com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getStore().getCredentials(com.cloudbees.plugins.credentials.domains.Domain.global()).find { it.getId().equals(CREDENTIAL_ID) }.getPrivateKey()

One liner to get a username/password credentials:

See username password credentials implementations for methods to extract values

def PASSWORD = com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getStore().getCredentials(com.cloudbees.plugins.credentials.domains.Domain.global()).find { it.getId().equals(CREDENTIAL_ID) }.getPassword()

def USERNAME = com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getStore().getCredentials(com.cloudbees.plugins.credentials.domains.Domain.global()).find { it.getId().equals(CREDENTIAL_ID) }.getUsername()

One liner to get a string credential:

See plain credentials implementation for methods to extract values

def SECRET = com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getStore().getCredentials(com.cloudbees.plugins.credentials.domains.Domain.global()).find { it.getId().equals(CREDENTIAL_ID) }.getSecret().getPlainText()

This allows you to do things like injecting credentials into a docker agent:

def CREDENTIAL_ID = "<key_credential_id"
def SECRET = com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getStore().getCredentials(com.cloudbees.plugins.credentials.domains.Domain.global()).find { it.getId().equals(CREDENTIAL_ID) }.getSecret().getPlainText()
pipeline {
    agent {
        dockerfile {
            filename "build/Jenkins.Dockerfile"
            additionalBuildArgs "--build-arg SECRET=${SECRET}"
        }
    }
    ...
}

This works. It gets the credentials rather than the store.

I didn't write any error handling so it blows up if you don't have a credentials object set up (or probably if you have two). That part is easy to add though. The tricky part is getting the right APIs!

def getPassword = { username ->
    def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
        com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials.class,
        jenkins.model.Jenkins.instance
    )

    def c = creds.findResult { it.username == username ? it : null }

    if ( c ) {
        println "found credential ${c.id} for username ${c.username}"

        def systemCredentialsProvider = jenkins.model.Jenkins.instance.getExtensionList(
            'com.cloudbees.plugins.credentials.SystemCredentialsProvider'
            ).first()

      def password = systemCredentialsProvider.credentials.first().password

      println password


    } else {
      println "could not find credential for ${username}"
    }
}

getPassword("jeanne")

Tags:

Groovy

Git

Jenkins

Recent Posts