Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37201

Do not store retrived secrets in build.xml.

XMLWordPrintable

      I've tried to use hashicorp-vault-plugin with Jenkins 2.9 and found out that retrived secrets are stored in build.xml like others env vars.

          [JENKINS-37201] Do not store retrived secrets in build.xml.

          Jason Antman added a comment -

          ptierno I just happened by this. The mask-passwords plugin ( https://github.com/jenkinsci/mask-passwords-plugin ) might have some code of interest here, as it handles a very similar use case.

          Jason Antman added a comment - ptierno I just happened by this. The mask-passwords plugin ( https://github.com/jenkinsci/mask-passwords-plugin ) might have some code of interest here, as it handles a very similar use case.

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Peter Tierno
          Path:
          src/main/java/com/datapipe/jenkins/vault/MaskingConsoleLogFilter.java
          src/main/java/com/datapipe/jenkins/vault/VaultBuildWrapper.java
          src/test/java/com/datapipe/jenkins/vault/VaultBuildWrapperTest.java
          http://jenkins-ci.org/commit/hashicorp-vault-plugin/0781c2515a64ae6e53b0e9241ddaadcad1ddd431
          Log:
          Merge pull request #2 from tobilarscheid/master

          Fixes JENKINS-39383, JENKINS-37201

          Automatically mask credentials from build log

          Compare: https://github.com/jenkinsci/hashicorp-vault-plugin/compare/b8c7fcb19161...0781c2515a64

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Peter Tierno Path: src/main/java/com/datapipe/jenkins/vault/MaskingConsoleLogFilter.java src/main/java/com/datapipe/jenkins/vault/VaultBuildWrapper.java src/test/java/com/datapipe/jenkins/vault/VaultBuildWrapperTest.java http://jenkins-ci.org/commit/hashicorp-vault-plugin/0781c2515a64ae6e53b0e9241ddaadcad1ddd431 Log: Merge pull request #2 from tobilarscheid/master Fixes JENKINS-39383 , JENKINS-37201 Automatically mask credentials from build log Compare: https://github.com/jenkinsci/hashicorp-vault-plugin/compare/b8c7fcb19161...0781c2515a64

          Peter Tierno added a comment -

          Fixed in PR #2

          Peter Tierno added a comment - Fixed in PR #2

          Tobias Larscheid added a comment -

          Are you sure that my PR fixes this one as well? I though the build.xml thing happens because of env vars, not because of logging. maybe meshok0 can provide some more insight?

          Tobias Larscheid added a comment - Are you sure that my PR fixes this one as well? I though the build.xml thing happens because of env vars, not because of logging. maybe meshok0 can provide some more insight?

          Peter Tierno added a comment -

          I reopened this. if someone can show me an example of vault secrets stored in build.xml i would appreciate it. I have been unable to replicate this.

          Peter Tierno added a comment - I reopened this. if someone can show me an example of vault secrets stored in build.xml i would appreciate it. I have been unable to replicate this.

          Tobias Larscheid added a comment -

          Probably this only happens if you use the plugin on build level and not as a wrapper in a Jenkinsfile script?

          Tobias Larscheid added a comment - Probably this only happens if you use the plugin on build level and not as a wrapper in a Jenkinsfile script?

          Raphael Pigulla added a comment -

          The secrets are still being shown in the build log, e.g. when passing them to Docker via --env MY_PASS=${PASS_FROM_VAULT}

          Raphael Pigulla added a comment - The secrets are still being shown in the build log, e.g. when passing them to Docker via --env MY_PASS=${PASS_FROM_VAULT }

          Tobias Larscheid added a comment -

          Hi muddyb0y, I already solved this: https://github.com/jenkinsci/hashicorp-vault-plugin/pull/2

          The new version is however still not in the jenkins plugin repo... ptierno knows more about this.

          Tobias Larscheid added a comment - Hi muddyb0y , I already solved this: https://github.com/jenkinsci/hashicorp-vault-plugin/pull/2 The new version is however still not in the jenkins plugin repo... ptierno knows more about this.

          Raphael Pigulla added a comment - - edited

          Ah, thanks for the update. In the meantime I've used the mask-passwords plugin which gets the job done but one has to be very careful not to miss anything. So looking forward to the new release

          Raphael Pigulla added a comment - - edited Ah, thanks for the update. In the meantime I've used the mask-passwords plugin which gets the job done but one has to be very careful not to miss anything. So looking forward to the new release

          Peter Tierno added a comment -

          This has been released in v1.3. Should be available via updatce center soon.

          Peter Tierno added a comment - This has been released in v1.3. Should be available via updatce center soon.

            ptierno Peter Tierno
            meshok0 Alexey Kukushkin
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: