Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32402

Credentials binding fails to find creds when using a Parameterized Expression, but only for timed jobs

      This job attempts to:

      • Take a parameter GAMESPARKS_CREDS_ID as creds
      • Use Credentials Binding to convert the creds into an environment variable GAMESPARKS_CREDS that is the concatenation of username:password for use in a shell script
      • Do so every 2 minutes

      When triggered manually, it works fine. But when triggered by the timer, it fails with the following message:

      FATAL: ${GAMESPARKS_CREDS_ID}
      org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: ${GAMESPARKS_CREDS_ID}
      	at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
      	at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordBinding.bindSingle(UsernamePasswordBinding.java:50)
      	at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:126)
      	at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:58)
      	at hudson.model.Build$BuildExecution.doRun(Build.java:156)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
      	at hudson.model.Run.execute(Run.java:1744)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:98)
      	at hudson.model.Executor.run(Executor.java:374)
      Finished: FAILURE
      

      If there's a better way to make credentials available in a build script, I'm open to that.

          [JENKINS-32402] Credentials binding fails to find creds when using a Parameterized Expression, but only for timed jobs

          Jesse Glick added a comment -

          Possibly a duplicate of JENKINS-35490?

          Jesse Glick added a comment - Possibly a duplicate of JENKINS-35490 ?

          I am currently running into what I believe to be the same issue as maskmaster. I have a job that is triggered by git push, which has a few promotions for different environments. The promotions all trigger the same deployment job with different values for the credential parameter. When I run the promotion I get the CredentialNotFoundException, while triggering the deployment manually works perfectly fine. When comparing the two builds (manual vs promoted) they look absolutely identical, both showing the credentials that I provided as well as the respective environment variable.
          It's not obvious to me how exactly these invocations differ from each other, so I don't know if this is a bug or a configuration mistake on my side.

          André Bierlein added a comment - I am currently running into what I believe to be the same issue as maskmaster . I have a job that is triggered by git push, which has a few promotions for different environments. The promotions all trigger the same deployment job with different values for the credential parameter. When I run the promotion I get the CredentialNotFoundException, while triggering the deployment manually works perfectly fine. When comparing the two builds (manual vs promoted) they look absolutely identical, both showing the credentials that I provided as well as the respective environment variable. It's not obvious to me how exactly these invocations differ from each other, so I don't know if this is a bug or a configuration mistake on my side.

          Alexandre Aubert added a comment - - edited

          Hi,

          I'm facing the same issue, here is the description :

          I have a multibranch pipeline that triggered another job with parameters, here is the trigger block :

          build job: 'Archis/front-s3-deployer',
          parameters: [
          string(name: 'SourcePackagePath', value: "Internal/DataViz/Vega/${env.BRANCH_NAME}/Binary/${env.BUILD_NUMBER}/"),
          string(name: 'SourcePackageName', value: 'vega.zip'),
          string(name: 'DestinationBucket', value: 'datavizclouddev.net'),
          string(name: 'DestinationPath', value: 'vega/'),
          [$class: 'CredentialsParameterValue', description: 'Credentials used to write on the destination bucket', name: 'StoredAccessKeyName', value: 'aws-dataviz']
          ]

          If i launch this job manually, parameters are well passed to second job and second job builds ok :

          Started by upstream project "DataViz/VegaWebApp/Vega-Deploy/dev" build number 159
          originally caused by:
          Started by user Alexandre
          [EnvInject] - Loading node environment variables.
          Building remotely on Archis - awsbld001 (Archis BDXBLD013 -) in workspace /home/admin/jenkins/workspace/Archis/front-s3-deployer
          [WS-CLEANUP] Deleting project workspace...
          [WS-CLEANUP] Done
          [front-s3-deployer] $ /bin/sh -xe /tmp/hudson5564189863560131079.sh
          ...

          If this job is trigger automatically, i can see that parameters are well passed to second job (by checking the 'parameters' page of the triggered build : all values are well populated - exactly as for the manually triggered run) but i got an error message when second job's build starts :

          Started by upstream project "DataViz/VegaWebApp/Vega-Deploy/dev" build number 160
          originally caused by:
          Branch indexing
          [EnvInject] - Loading node environment variables.
          Building remotely on Archis - awsbld001 (Archis BDXBLD013 -) in workspace /home/admin/jenkins/workspace/Archis/front-s3-deployer
          [WS-CLEANUP] Deleting project workspace...
          [WS-CLEANUP] Done
          FATAL: ${StoredAccessKeyName}
          org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: ${StoredAccessKeyName}
          at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:131)
          at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:93)
          at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:96)
          at hudson.model.Build$BuildExecution.doRun(Build.java:156)
          at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
          at hudson.model.Run.execute(Run.java:1729)
          at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
          at hudson.model.ResourceController.execute(ResourceController.java:98)
          at hudson.model.Executor.run(Executor.java:404)
          Notifying upstream projects of job completion
          ...

          Environment :

          Jenkins 2.41
          Credential-bindings 1.10
          Credentials Plugin 2.1.10
          CloudBees Amazon Web Services Credentials Plugin 1.17

          Alexandre Aubert added a comment - - edited Hi, I'm facing the same issue, here is the description : I have a multibranch pipeline that triggered another job with parameters, here is the trigger block : build job: 'Archis/front-s3-deployer', parameters: [ string(name: 'SourcePackagePath', value: "Internal/DataViz/Vega/${env.BRANCH_NAME}/Binary/${env.BUILD_NUMBER}/"), string(name: 'SourcePackageName', value: 'vega.zip'), string(name: 'DestinationBucket', value: 'datavizclouddev.net'), string(name: 'DestinationPath', value: 'vega/'), [$class: 'CredentialsParameterValue', description: 'Credentials used to write on the destination bucket', name: 'StoredAccessKeyName', value: 'aws-dataviz'] ] If i launch this job manually, parameters are well passed to second job and second job builds ok : Started by upstream project "DataViz/VegaWebApp/Vega-Deploy/dev" build number 159 originally caused by: Started by user Alexandre [EnvInject] - Loading node environment variables. Building remotely on Archis - awsbld001 (Archis BDXBLD013 -) in workspace /home/admin/jenkins/workspace/Archis/front-s3-deployer [WS-CLEANUP] Deleting project workspace... [WS-CLEANUP] Done [front-s3-deployer] $ /bin/sh -xe /tmp/hudson5564189863560131079.sh ... If this job is trigger automatically, i can see that parameters are well passed to second job (by checking the 'parameters' page of the triggered build : all values are well populated - exactly as for the manually triggered run) but i got an error message when second job's build starts : Started by upstream project "DataViz/VegaWebApp/Vega-Deploy/dev" build number 160 originally caused by: Branch indexing [EnvInject] - Loading node environment variables. Building remotely on Archis - awsbld001 (Archis BDXBLD013 -) in workspace /home/admin/jenkins/workspace/Archis/front-s3-deployer [WS-CLEANUP] Deleting project workspace... [WS-CLEANUP] Done FATAL: ${StoredAccessKeyName} org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: ${StoredAccessKeyName} at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:131) at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:93) at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:96) at hudson.model.Build$BuildExecution.doRun(Build.java:156) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534) at hudson.model.Run.execute(Run.java:1729) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:404) Notifying upstream projects of job completion ... Environment : Jenkins 2.41 Credential-bindings 1.10 Credentials Plugin 2.1.10 CloudBees Amazon Web Services Credentials Plugin 1.17

          bryan patton added a comment - - edited

          I am having the same issue and to compound it when rebuilding the task it will work correctly. It appears to be a difference between Jenkins identifying the credentials and binding them or not.

          bryan patton added a comment - - edited I am having the same issue and to compound it when rebuilding the task it will work correctly. It appears to be a difference between Jenkins identifying the credentials and binding them or not.

          Same behavior here.

          For you information, I created new credentials and let Jenkins generating the ID instead of setting it and it worked.

          I hope that help 

          Mat

          Mathieu Beausoleil added a comment - Same behavior here. For you information, I created new credentials and let Jenkins generating the ID instead of setting it and it worked. I hope that help  Mat

          > For you information, I created new credentials and let Jenkins generating the ID instead of setting it and it worked.

          beausoleilm  i tried, creating a new credentials with generated ID does not fix the issue for me

          Guillaume Coré added a comment - > For you information, I created new credentials and let Jenkins generating the ID instead of setting it and it worked. beausoleilm   i tried, creating a new credentials with generated ID does not fix the issue for me

          Jesse Glick added a comment -

          Sounds like a user error. Credentials parameters could not be used across jobs like this. You would need to have the upstream extract the secret and then pass it downstream via a password parameter, I suppose.

          Jesse Glick added a comment - Sounds like a user error. Credentials parameters could not be used across jobs like this. You would need to have the upstream extract the secret and then pass it downstream via a password parameter, I suppose.

          Maksym Kit added a comment -

          I observe the same behavior. I have a Job A, which triggers Job B and passes an credentials ID using Jenkins Parameterized Trigger Plugin Predefined parameters. Job B project is parameterized and has Credentials Parameter specified. Job B also has "Use secret text(s) or file(s)" enabled (provided with Credentials Binding Plugin) and a corresponding binding specified.

          When I start Job A manually Job B will start correctly and have credentials resolved correctly, however when Job A is being triggered by GitHub push Job B will fail to resolve credentials.

          Sounds like a user error. Credentials parameters could not be used across jobs like this.

          Why?

          Maksym Kit added a comment - I observe the same behavior. I have a Job A, which triggers Job B and passes an credentials ID using Jenkins Parameterized Trigger Plugin Predefined parameters. Job B project is parameterized and has Credentials Parameter specified. Job B also has "Use secret text(s) or file(s)" enabled (provided with Credentials Binding Plugin) and a corresponding binding specified. When I start Job A manually Job B will start correctly and have credentials resolved correctly, however when Job A is being triggered by GitHub push Job B will fail to resolve credentials. Sounds like a user error. Credentials parameters could not be used across jobs like this. Why?

          Marco added a comment -

          Hello,

          I observe the same issue. As this is a quite old issue I would like to ask, if this will be fixed in near future.
          If it is an user error (as indicated above) I would like to know, how to resolve it. My goal is to have a single job to set up different databases (MS SQL, Oracle, DB2...) with different credentials. Jenkins Credential IDs are Global scope and configured as environment variables on the different Jenkins nodes. All is working fine, if I run the jobs by hand. It is not working via scheduler (Build periodically) or remotely (Trigger builds remotely (e.g., from scripts) as described at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ ).

          Best regards,
          Marco Wanck

           

          Marco added a comment - Hello, I observe the same issue. As this is a quite old issue I would like to ask, if this will be fixed in near future. If it is an user error (as indicated above) I would like to know, how to resolve it. My goal is to have a single job to set up different databases (MS SQL, Oracle, DB2...) with different credentials. Jenkins Credential IDs are Global scope and configured as environment variables on the different Jenkins nodes. All is working fine, if I run the jobs by hand. It is not working via scheduler (Build periodically) or remotely (Trigger builds remotely (e.g., from scripts) as described at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ ). Best regards, Marco Wanck  

          Noam Manos added a comment -

          As mwanck pointed out, this can occur when:

          Job A was triggered by timer (build periodically) --> Job A triggers Job B --> Job B uses credential binding with parameter expression.

           

          For some reason, Job B uses the "anonymous" user to evaluate the credentials, and thus fails with: "ERROR: Could not find credentials entry with ID".

           

          Trying to set "Access Control for Builds" to "Run as SYSTEM" (in Jenkins Configure Global Security), does not resolve it.

          Using "Run as specific user" with admin role, will even fail to launch Job A, in the first place, saying:

          ‘anonymous’ lacks permission to run on 'jnlp-agent’

           

          The only insecure workaround was to give user 'Anonymous' permission for 'Configure Job' (in Jenkins Manage Roles configuration).

          Noam Manos added a comment - As mwanck pointed out, this can occur when: Job A was triggered by timer (build periodically) --> Job A triggers Job B --> Job B uses credential binding with parameter expression.   For some reason, Job B uses the "anonymous" user to evaluate the credentials, and thus fails with: " ERROR: Could not find credentials entry with ID ".   Trying to set "Access Control for Builds" to "Run as SYSTEM" (in Jenkins Configure Global Security), does not resolve it. Using "Run as specific user" with admin role, will even fail to launch Job A, in the first place, saying: ‘anonymous’ lacks permission to run on 'jnlp-agent’   The only insecure workaround was to give user 'Anonymous' permission for 'Configure Job' (in Jenkins Manage Roles configuration).

            Unassigned Unassigned
            nirvine_bnsv Nick Irvine
            Votes:
            24 Vote for this issue
            Watchers:
            29 Start watching this issue

              Created:
              Updated: