-
New Feature
-
Resolution: Duplicate
-
Major
The mask-passwords-plugin does not enable global or even locally defined variables within the block when used in a pipeline/workflow job. I have configured a global password variable "MARATHON_PASSWORD". You'll see that I've tried referencing variables in two ways (echo and sh)
Example job config:
node { stage 'Test Mask Passwords in Pipeline' wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: 'thePassword', var: 'MY_PASSWORD']]]) { echo "retrive MY_PASSWORD by var = ${env.MY_PASSWORD}" sh 'echo retrieve MY_PASSWORD by var = $MY_PASSWORD' echo "retrieve MARATHON_PASSWORD by var = ${env.MARATHON_PASSWORD}" sh 'echo retrieve MARATHON_PASSWORD by var = $MARATHON_PASSWORD' echo "masking MY_PASSWORD value works = thePassword" sh 'echo masking MY_PASSWORD value works = thePassword' } }
Output from running job:
[Pipeline] Allocate node : Start Running on jenlxs7 in /apps/jenkins/slave1/workspace/CWL/AAA-TestPipeline [Pipeline] node { [Pipeline] stage (Test Mask Passwords in Pipeline) Entering stage Test Mask Passwords in Pipeline Proceeding [Pipeline] General Build Wrapper : Start [Pipeline] wrap { retrive MY_PASSWORD by var = null [Pipeline] echo [Pipeline] sh [AAA-TestPipeline] Running shell script + echo retrieve MY_PASSWORD by var = retrieve MY_PASSWORD by var = [Pipeline] echo retrieve MARATHON_PASSWORD by var = null [Pipeline] sh [AAA-TestPipeline] Running shell script + echo retrieve MARATHON_PASSWORD by var = retrieve MARATHON_PASSWORD by var = [Pipeline] echo masking MY_PASSWORD value works = ******** [Pipeline] sh [AAA-TestPipeline] Running shell script + echo masking MY_PASSWORD value works = ******** masking MY_PASSWORD value works = ******** [Pipeline] } //wrap [Pipeline] General Build Wrapper : End [Pipeline] } //node [Pipeline] Allocate node : End [Pipeline] End of Pipeline Finished: SUCCESS
As you can see, the plugin does effectively mask the value of given passwords when you use the value directly within the block. However, you should be able to use the password via it's variable name.
- duplicates
-
JENKINS-36007 Way to mask arbitrary Secret (was: Password is clear on log with input parameter)
-
- Open
-
The plugin merely masks passwords, it does not set them.
What you are looking for is the Credentials Binding plugin, which has a Pipeline step and both binds passwords (and other secrets) to environment variables, and masks their values where they appear inside the block.