[JENKINS-36470] Parameter Expression throws CredentialNotFoundException

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: credentials-binding-plugin, credentials-plugin
Labels:
None
Environment:

Hide
Jenkins ver. 1.648

os.arch amd64
os.name Linux
os.version 4.2.0-38-generic
java.runtime.name OpenJDK Runtime Environment
java.runtime.version 1.7.0_101-b00
java.vm.name OpenJDK 64-Bit Server VM

Plugins:
plain-credentials 1.2 true false
credentials 2.1.4 true false
credentials-binding 1.8 true false

Show
Jenkins ver. 1.648 os.arch amd64 os.name Linux os.version 4.2.0-38-generic java.runtime.name OpenJDK Runtime Environment java.runtime.version 1.7.0_101-b00 java.vm.name OpenJDK 64-Bit Server VM Plugins: plain-credentials 1.2 true false credentials 2.1.4 true false credentials-binding 1.8 true false

Similar Issues:
Powered by SuggestiMate

Show

When configuring a job with credentials binding the 'specific credentials' do work but when I try to use the 'parameter expression' it always fails with the following message:

[EnvInject] - Loading node environment variables.
[EnvInject] - Preparing an environment for the build.
[EnvInject] - Keeping Jenkins system variables.
[EnvInject] - Keeping Jenkins build variables.
[EnvInject] - Evaluation the following Groovy script content: 
println "secret_file_id:" + secret_file_id

secret_file_id:keystore
[EnvInject] - Injecting contributions.
Building on master in workspace /var/lib/jenkins/workspace/Credential-binding-parameter-expression
FATAL: ${secret_file_id}
org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: ${secret_file_id}
	at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
	at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.bindSingle(FileBinding.java:52)
	at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:133)
	at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:58)
	at hudson.model.Build$BuildExecution.doRun(Build.java:156)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
	at hudson.model.Run.execute(Run.java:1738)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:410)
Finished: FAILURE

As shown in config-attachment the referenced secret file (ID: 'keystore') is found when using the specific credentials option. When I try to load it dynamically with the parameter expression using ${secret_file_id} the exception is thrown.

I've spend a fair amount of time testing with different settings for credentials and plugin versions but none fixed my issue. I've attached an example job configuration that mimics my issue.

Basically the one I'm trying to achieve is a job that based upon a parameter builds and signs an Android app. The parameter is either supplied through a properties file inside a git repo or by making the build 'parameterized'. Any help would be appreciated!

Cheers, Erik

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

bot-config.xml
2 kB
2016-07-06 10:01
config.png
59 kB
2016-07-06 10:02
environment-variables.png
290 kB
2016-07-06 10:01

Stephen Connolly added a comment - 2016-07-21 11:09

For security reasons, the only parameters that can be expanded are Credentials Parameters as this is the only parameter type that allows us to determine whether

the supplied value is the default (and hence can be searched using the authentication that the build is running as but cannot be searched from the user who triggered the build's credentials stores)
the supplied value was a user configured value and thus can be searched from the user's credentials store (and optionally the authentication stores of the user the build is running as provided that the user who triggered the build has the permission to use those credentials)

If you change the parameter to a Credentials Parameter then the expansion works.

Stephen Connolly added a comment - 2016-07-21 11:09 For security reasons, the only parameters that can be expanded are Credentials Parameters as this is the only parameter type that allows us to determine whether the supplied value is the default (and hence can be searched using the authentication that the build is running as but cannot be searched from the user who triggered the build's credentials stores) the supplied value was a user configured value and thus can be searched from the user's credentials store (and optionally the authentication stores of the user the build is running as provided that the user who triggered the build has the permission to use those credentials) If you change the parameter to a Credentials Parameter then the expansion works.

Kenneth Younger added a comment - 2017-04-06 14:48

This bit me, too. Glad I found this to help explain. Might be worth a quite note on the plugin's homepage that this is intended functionality. (Even just copying the comment above would probably suffice.)

Kenneth Younger added a comment - 2017-04-06 14:48 This bit me, too. Glad I found this to help explain. Might be worth a quite note on the plugin's homepage that this is intended functionality. (Even just copying the comment above would probably suffice.)

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: Stephen Connolly added a comment - 2016-07-21 11:09

Expand comment: Stephen Connolly added a comment - 2016-07-21 11:09

Collapse comment: Kenneth Younger added a comment - 2017-04-06 14:48

Expand comment: Kenneth Younger added a comment - 2017-04-06 14:48

People

Dates