jenkinsyamljenkins-job-builder

How to use `inject-passwords` in Jenkins job Builder?


I am using a yaml file to configure a jenkins job, and I came across the feature inject-passwords (see here). However, this documentation neither describes on how to use the variable within the jenkins environment, nor what 'encrypted' password means (How to encrypt?). The link leading to the EnvInjectPlugin also does not have the required information.

Where can I find useful information/documentation? And why is this documentation so incomplete?

Context:

I want to inject passwords in a safe way into a jenkins job. In this jenkins job I want to use this password as a password to log in to an online service in order to test several aspects of that service. I need the test script to get that password (environment variable?) to be able to log in to a service.

Open questions not answered in the referenced documentation:


Solution

  • The documentation for the password injection is not useable. Therefore I provide a complete example here.

    First, you ned to get the encryped password.

    1. Go to the configuration part of a Jenkins Job that can be safely modified. For example the one you are currently trying to setup.
    2. In the "Build Environment" section, click on the "Inject passwords to the build as environment variables".
    3. Write your plain password with a dummy variable name and save the configuration. This step will encrypt the password behind the hood.
    4. Go to the "Job Config History" tab of the Job and look at the latest RAW XML configuration file. You will find in the XML your encrypted password that can be copied for the next step.

    Second step, you need to put the password in the yaml file as follows:

    wrappers:
         - inject-passwords:
            global: true
            mask-password-params: true
            job-passwords:
                - name: TEST_USER_PASSWORD
                  password: '{AQAAABAAAAAQvsFFVkOmzr5WzEhX8OWuK7mizr5xzEhX8lGo2AGMVw8=}'
                - name: TEST_USER_PASSWORD2
                  password: '{AQAAABAAAAAQvsFFVkOmzr5xzEhX8lGo2AcPGMVw8b8SflGo2AcPGMVw8=}'
    

    Note: The password are in quotes AND in curly brackets.

    Third step: In jenkins you can use the environment variables TEST_USER_PASSWORD and TEST_USER_PASSWORD2. These variables will contain the decrypted password, but when you print them out, jenkins will notice there is a password in the log, which jenkins will obfuscate.

    Example:

    Actual output

    My password is jddfdjh44y98dyghsdgdgfdg
    

    Jenkins log output

    My password is [********]
    

    You can print the content of the variable step-by-step to get the password (to check that it works).