Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48599

Ability to retrieve secrets from credentials plugin in groovy script

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • active-choices-plugin
    • None

      We use this plugin/script to query an API in order to populate the choices parameter. 
      It would be very beneficial to be able to refer to secrets stored as credentials (credentials plugin) to authenticate against an external API, rather than having to put access tokens in the script itself. 

          [JENKINS-48599] Ability to retrieve secrets from credentials plugin in groovy script

          Roy Porter added a comment -

          Have you tried something along the lines of: (Replacing ###Credential name###)

          import jenkins.model.*
          
          def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
            com.cloudbees.plugins.credentials.Credentials.class,
            Jenkins.instance,
            null,
            null
          );
          def credential = creds.find {it.id == '###Credential name###'}
          if (!credential) {
            return "Unable to pickup credential from Jenkins"
          }
          
          return credential.password;

           

          Roy Porter added a comment - Have you tried something along the lines of: (Replacing ###Credential name###) import jenkins.model.* def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials( com.cloudbees.plugins.credentials.Credentials.class, Jenkins.instance, null , null ); def credential = creds.find {it.id == '###Credential name###' } if (!credential) { return "Unable to pickup credential from Jenkins" } return credential.password;  

          Chris Hudson added a comment -

          Hey, THanks for this. 

          It returns the credential object, but sadly it doesn't have a `password` property. If I set it to `credential.secret` it returns me an encrypted string. 
          Looks like this...not usual encryption. 

          Result: evGnz_DcxcWFsFXeihUb

          That's from a test credential I setup. 

          Chris Hudson added a comment - Hey, THanks for this.  It returns the credential object, but sadly it doesn't have a `password` property. If I set it to `credential.secret` it returns me an encrypted string.  Looks like this...not usual encryption.  Result: evGnz_DcxcWFsFXeihUb That's from a test credential I setup. 

          Chris Hudson added a comment -

          the usual jenkins decryption methods don't yield anything against that string

          at least not the ones I know of. 

          Chris Hudson added a comment - the usual jenkins decryption methods don't yield anything against that string at least not the ones I know of. 

          Charles Abetz added a comment - - edited

          You can do it like this, but I am not sure if this only works for admin users

           

          //  
          
          
          List<Credentials> credentials =SystemCredentialsProvider.getInstance().getStore().getCredentials(Domain.global())
              for(c in credentials)
              {
              
          
               if(c instanceof com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl )
                  {
           
                      if(c.username == "${user}")
                      {
                          credentials = c.getUsername()+":"+c.getPassword().getPlainText()
                      }
                  }
                  
              }
          

          That works for me as an admin, but it doesn't seem to work for other users even if they have permission to view the Credential store. 
           

          Charles Abetz added a comment - - edited You can do it like this, but I am not sure if this only works for admin users   //   List<Credentials> credentials =SystemCredentialsProvider.getInstance().getStore().getCredentials(Domain.global())      for (c in credentials)     {           if (c instanceof com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl )         {                if (c.username == "${user}" )             {                 credentials = c.getUsername()+ ":" +c.getPassword().getPlainText()             }         }              } That works for me as an admin, but it doesn't seem to work for other users even if they have permission to view the Credential store.   

          olivier G added a comment -

          I don't understand why it's not possible to use pipeline syntax as witCredentials to work with credentials.

          I use something like Charles Abetz has done. in my case, Any user with job/read en job/build could use it. (jenkins has script-security-plugin, and no approvals is needed).
          This possibility opens a security fail: it's possible to each user to read password from all global credentials

           

          olivier G added a comment - I don't understand why it's not possible to use pipeline syntax as witCredentials to work with credentials. I use something like Charles Abetz has done. in my case, Any user with job/read en job/build could use it. (jenkins has script-security-plugin, and no approvals is needed). This possibility opens a security fail: it's possible to each user to read password from all global credentials  

          Rich added a comment -

          Is there any update on this ? It is still not possible to use withCredentials or similar approach in ActiveChoice groovy script.

          Rich added a comment - Is there any update on this ? It is still not possible to use withCredentials or similar approach in ActiveChoice groovy script.

            kinow Bruno P. Kinoshita
            basher590 Chris Hudson
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: