linuxjenkinsamazon-s3sensitive-data

Need to Mask the sensitive information in jenkins


I have a scenario where when we run Jenkins build we download the sensitive data from the s3 bucket and the information we download is being set as environment variables. But downloaded information is being spat out and I need to mask the whole stage! is there any way to mask the whole stage?

I tried looking into mask passwords plugin(https://wiki.jenkins.io/display/JENKINS/Mask+Passwords+Plugin) of Jenkins but was not able to get a point.

stage('create secrets') {
    steps {
        script {
            def propMap = readProperties file: "environments/test/envs"
            def properties = propMap.collect { key, value -> return key + '=' + value }

            if (testenv()) {
                withAWS([role: "${propMap['ASSUME_ROLE_ARN']}", region: "${propMap['REGION']}"]) {
                    withEnv(properties) {
                        sh '''
                           aws s3 cp s3://${test-BUCKET}/ssl-certs/ . --recursive
                           export SSL_KEY="$(cat ./server.key | base64 -w 0) "
                           export SSL_CERT="$(cat ./server.cert | base64 -w 0)"
                           export SQL_ALCH="$(echo -n $SQL_ALCH | base64 -w 0)"
                           export SUPER_USER_GROUP="$(echo -n $SUPER_USER_GROUP | base64 -w 0)"

                        '''
                    }
                }
            }

When I run Jenkins with the above stage it will show the sensitive information of the user group and everything else in the console output need to mask the whole information.


Solution

  • You can put in a "set +x" just before the aws s3... and "set -x" after you've executed commands that output secrets. This will disable the echo of results to the console.

    sh '''
       set +x
       aws s3 cp s3://${test-BUCKET}/ssl-certs/ . --recursive
       export SSL_KEY="$(cat ./server.key | base64 -w 0) "
       export SSL_CERT="$(cat ./server.cert | base64 -w 0)"
       export SQL_ALCH="$(echo -n $SQL_ALCH | base64 -w 0)"
       export SUPER_USER_GROUP="$(echo -n $SUPER_USER_GROUP | base64 -w 0)"
       set -x
       '''