Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38963

User-scoped credentials cannot be looked up in pipeline

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      It's possible to look-up User-scoped credentials in Freestyle jobs with Bindings. The same seems not to work in pipeline jobs.

      node {
          withCredentials([[$class          : 'UsernamePasswordMultiBinding', credentialsId: 'bc047678-37b8-4747-95d8-c1a8b3df51a6',
                            usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
              echo "${env.USERNAME}"
          }
      }
      
      org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: bc047678-37b8-4747-95d8-c1a8b3df51a6
      	at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
      	at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:68)
      	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:92)
      

      Plugin versions:
      credentials-binding: 1.9
      credentials: 2.1.5

        Attachments

          Issue Links

            Activity

            vehovmar Martin Vehovsky created issue -
            vehovmar Martin Vehovsky made changes -
            Field Original Value New Value
            Summary User-scoped credentials cannot be looked up with pipeline User-scoped credentials cannot be looked up in pipeline
            vehovmar Martin Vehovsky made changes -
            Description It's possible to look-up User-scoped credentials in Freestyle jobs with Bindings. The same seems not to works in pipeline jobs.

            {code:java}
            node {
                withCredentials([[$class : 'UsernamePasswordMultiBinding', credentialsId: 'bc047678-37b8-4747-95d8-c1a8b3df51a6',
                                  usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
                    echo "${env.USERNAME}"
                }
            }
            {code}



            {code:java}
            org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: bc047678-37b8-4747-95d8-c1a8b3df51a6
            at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
            at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:68)
            at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:92)
            {code}
            It's possible to look-up User-scoped credentials in Freestyle jobs with Bindings. The same seems not to work in pipeline jobs.

            {code:java}
            node {
                withCredentials([[$class : 'UsernamePasswordMultiBinding', credentialsId: 'bc047678-37b8-4747-95d8-c1a8b3df51a6',
                                  usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
                    echo "${env.USERNAME}"
                }
            }
            {code}



            {code:java}
            org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: bc047678-37b8-4747-95d8-c1a8b3df51a6
            at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
            at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:68)
            at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:92)
            {code}
            vehovmar Martin Vehovsky made changes -
            Description It's possible to look-up User-scoped credentials in Freestyle jobs with Bindings. The same seems not to work in pipeline jobs.

            {code:java}
            node {
                withCredentials([[$class : 'UsernamePasswordMultiBinding', credentialsId: 'bc047678-37b8-4747-95d8-c1a8b3df51a6',
                                  usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
                    echo "${env.USERNAME}"
                }
            }
            {code}



            {code:java}
            org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: bc047678-37b8-4747-95d8-c1a8b3df51a6
            at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
            at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:68)
            at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:92)
            {code}
            It's possible to look-up User-scoped credentials in Freestyle jobs with Bindings. The same seems not to work in pipeline jobs.

            {code:java}
            node {
                withCredentials([[$class : 'UsernamePasswordMultiBinding', credentialsId: 'bc047678-37b8-4747-95d8-c1a8b3df51a6',
                                  usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
                    echo "${env.USERNAME}"
                }
            }
            {code}



            {code:java}
            org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: bc047678-37b8-4747-95d8-c1a8b3df51a6
            at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
            at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:68)
            at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:92)
            {code}

            Plugin versions:
            _credentials-binding: 1.9_
            _credentials: 2.1.5_
            Hide
            vehovmar Martin Vehovsky added a comment -

            Just found out, that it's possible to look-up user-scoped sredentials with '${Credentials}'

            node {
                withCredentials([[$class          : 'UsernamePasswordMultiBinding', credentialsId: '${Credentials}',
                                  usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
                }
            }
            

            Could someone please clarify documentation for this?
            Thank you

            Show
            vehovmar Martin Vehovsky added a comment - Just found out, that it's possible to look-up user-scoped sredentials with '${Credentials}' node { withCredentials([[$class : 'UsernamePasswordMultiBinding' , credentialsId: '${Credentials}' , usernameVariable: 'USERNAME' , passwordVariable: 'PASSWORD' ]]) { } } Could someone please clarify documentation for this? Thank you
            Hide
            eroussel Emmanuel Rousselle added a comment -

            I'm facing the same issue and it's not clear to me if:

            • It's a documentation problem (the plugin is able to fetch user-scope credentials but how to do this is absent from the documentation), OR
            • The plugin doesn't support fetching user-scope credentials at all

            Can someone familiar with the code clarify this?

            Thank you.

            Show
            eroussel Emmanuel Rousselle added a comment - I'm facing the same issue and it's not clear to me if: It's a documentation problem (the plugin is able to fetch user-scope credentials but how to do this is absent from the documentation), OR The plugin doesn't support fetching user-scope credentials at all Can someone familiar with the code clarify this? Thank you.
            Hide
            jglick Jesse Glick added a comment -

            Stephen Connolly knows more about user-scoped credentials. Possibly you need to use Authorized Project to associate an authentication with the build. There is no test case in this plugin that covers user-scoped credentials so as far as I am concerned it is not supported.

            Show
            jglick Jesse Glick added a comment - Stephen Connolly knows more about user-scoped credentials. Possibly you need to use Authorized Project to associate an authentication with the build. There is no test case in this plugin that covers user-scoped credentials so as far as I am concerned it is not supported.
            Hide
            stephenconnolly Stephen Connolly added a comment -

            So to fetch user scoped credentials there are one of two conditions that must be met, either:

            1. The build must be running as the user that owns the credentials (this requires the AuthorizedProject plugin be configured); or
            2. The credentials must come from a credentials parameter and be selected by the user and that user must have the Credentials/USE_OWN permission (typically implied by Job/BUILD unless you request them separated out by setting a system property). If you use the default credentials in the parameter, then those will not be searched for as the idea is to prevent the user's credentials being hijacked without an explicit selection by the user triggering the build

            Show
            stephenconnolly Stephen Connolly added a comment - So to fetch user scoped credentials there are one of two conditions that must be met, either: 1. The build must be running as the user that owns the credentials (this requires the AuthorizedProject plugin be configured); or 2. The credentials must come from a credentials parameter and be selected by the user and that user must have the Credentials/USE_OWN permission (typically implied by Job/BUILD unless you request them separated out by setting a system property). If you use the default credentials in the parameter, then those will not be searched for as the idea is to prevent the user's credentials being hijacked without an explicit selection by the user triggering the build
            jglick Jesse Glick made changes -
            Labels pipeline
            jglick Jesse Glick made changes -
            Labels pipeline documentation pipeline
            Hide
            cchapman Clint Chapman added a comment -

            I've tried #2 where I have admin priviledges setup in the global security using matrix based security and am selecting the credential in a parameter - but when I run the job, I still get:
            org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: cchapman
            at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:153)

            Show
            cchapman Clint Chapman added a comment - I've tried #2 where I have admin priviledges setup in the global security using matrix based security and am selecting the credential in a parameter - but when I run the job, I still get: org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: cchapman at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:153)
            Hide
            aarondav Aaron Davidson added a comment -

            We are seeing a similar issue. I tried using #1 with AuthorizedProject and running as the user's own credentials, but it cannot look up credentials in the Global scope of that user anyway.

            I also tried #2 where the credentials are selected by the user, but still get a CredentialNotFound.

            Using credentials-binding:1.11, authorize-project:1.3.0, credentials:2.1.13.

            Closest workaround right now that seems to work is to use the Folders plugin to apply credentials at the folder level rather than the user level, but it's not ideal.

            Show
            aarondav Aaron Davidson added a comment - We are seeing a similar issue. I tried using #1 with AuthorizedProject and running as the user's own credentials, but it cannot look up credentials in the Global scope of that user anyway. I also tried #2 where the credentials are selected by the user, but still get a CredentialNotFound. Using credentials-binding:1.11, authorize-project:1.3.0, credentials:2.1.13. Closest workaround right now that seems to work is to use the Folders plugin to apply credentials at the folder level rather than the user level, but it's not ideal.
            cleclerc Cyrille Le Clerc made changes -
            Link This issue is related to JENKINS-44772 [ JENKINS-44772 ]
            Hide
            bcohen Benjamin Cohen Solal added a comment - - edited

            I've created a job with the following lines on pipeline :

            sshagent(['7349b914-da60-441e-b847-1ede672b6bbe']) {
                // some block
            }

            The above credentials are scoped inside my user.

            When activating the "run as user who triggered build" option, I have the following error :

            17:53:27 FATAL: [ssh-agent] Could not find specified credentials

            But when activating the "run as specific user" and specifying my own username, I get the following line :

            17:52:51 [ssh-agent] Using credentials bcohen (My SSH private key)

            I really don't understand why the options "Run as specific user: bcohen" and "Run as user who triggered build" produce a different result when in these two cases, I'm the user who trigger the build.

            Using credentials-binding:1.12, authorize-project:1.3.0, credentials:2.1.14.

            Show
            bcohen Benjamin Cohen Solal added a comment - - edited I've created a job with the following lines on pipeline : sshagent([ '7349b914-da60-441e-b847-1ede672b6bbe' ]) { // some block } The above credentials are scoped inside my user. When activating the "run as user who triggered build" option, I have the following error : 17:53:27 FATAL: [ssh-agent] Could not find specified credentials But when activating the "run as specific user" and specifying my own username, I get the following line : 17:52:51 [ssh-agent] Using credentials bcohen (My SSH private key) I really don't understand why the options "Run as specific user: bcohen" and "Run as user who triggered build" produce a different result when in these two cases, I'm the user who trigger the build. Using credentials-binding:1.12, authorize-project:1.3.0, credentials:2.1.14.
            jamesdumay James Dumay made changes -
            Labels documentation pipeline cloudbees-internal-pipeline documentation pipeline
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "Jenkins Users post (Web Link)" [ 17280 ]
            Hide
            b_dean Ben Dean added a comment -

            Stephen Connolly's method #2 does seem to work for me. Here's an example pipeline.

            properties([
                parameters([
                    credentials(name: 'creds_param', credentialType: 'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl', required: true)
                ])
            ])
            
            
            stage('example'){
                node {
                    withCredentials([string(credentialsId: '${creds_param}', variable: 'SECRET')]) {
                        sh 'echo $SECRET'
                    }
                }
            }
            

            Note that the single quotes around '${creds_param}' is not a mistake. The CredentialsProvider.findCredentalById method specifically looks to see if the id starts with ${ and ends with }. See https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java#L882

            This makes it so user creds selected as build params work in the withCredentials pipeline step. That's not really enough for my problems because I want to use parameters from an input step, but that's maybe a different issue. Thought I'd share this.

            Show
            b_dean Ben Dean added a comment - Stephen Connolly 's method #2 does seem to work for me. Here's an example pipeline. properties([ parameters([ credentials(name: 'creds_param' , credentialType: 'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl' , required: true ) ]) ]) stage( 'example' ){ node { withCredentials([string(credentialsId: '${creds_param}' , variable: 'SECRET' )]) { sh 'echo $SECRET' } } } Note that the single quotes around '${creds_param}' is not a mistake. The CredentialsProvider.findCredentalById method specifically looks to see if the id starts with ${ and ends with } . See https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java#L882 This makes it so user creds selected as build params work in the withCredentials pipeline step. That's not really enough for my problems because I want to use parameters from an input step, but that's maybe a different issue. Thought I'd share this.
            b_dean Ben Dean made changes -
            Link This issue is related to JENKINS-47699 [ JENKINS-47699 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal CLTS-1179 (Web Link)" [ 19151 ]
            Hide
            jglick Jesse Glick added a comment -

            Well that is surprising, to say the least. Would need to be emphasized in inline help for the credentials parameter type.

            Show
            jglick Jesse Glick added a comment - Well that is surprising, to say the least. Would need to be emphasized in inline help for the credentials parameter type.
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-44774 [ JENKINS-44774 ]
            wfollonier Wadeck Follonier made changes -
            Link This issue relates to JENKINS-58170 [ JENKINS-58170 ]
            Hide
            jvz Matt Sicker added a comment -

            This feature is improved in JENKINS-58170 and will also be supported by an upcoming release of pipeline-input-step to support user-scoped credentials prompted via an input step.

            Show
            jvz Matt Sicker added a comment - This feature is improved in JENKINS-58170 and will also be supported by an upcoming release of pipeline-input-step to support user-scoped credentials prompted via an input step.
            Hide
            jvz Matt Sicker added a comment -

            This was implemented in JENKINS-58170, though it requires the use of credentials build parameters. Alternatively, you can use authorize-project to automate the user who is bound to the build to access their credentials.

            Show
            jvz Matt Sicker added a comment - This was implemented in JENKINS-58170 , though it requires the use of credentials build parameters. Alternatively, you can use authorize-project to automate the user who is bound to the build to access their credentials.
            jvz Matt Sicker made changes -
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Resolved [ 5 ]
            Hide
            vit_zikmund Vít Zikmund added a comment - - edited

            Hello there, Matt Sicker. If you suggest using the authorize-project plugin for this purpose, can you confirm it actually works? All my white-box attempts so far failed as those in JENKINS-44772.

            Show
            vit_zikmund Vít Zikmund added a comment - - edited Hello there, Matt Sicker . If you suggest using the authorize-project plugin for this purpose, can you confirm it actually works? All my white-box attempts so far failed as those in JENKINS-44772 .

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              vehovmar Martin Vehovsky
              Votes:
              28 Vote for this issue
              Watchers:
              33 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: