Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60440

Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • VM host: Windows 10 1909 running Docker Desktop Community 19.03.5
      Jenkins master: Docker image jenkins/jenkins:latest
      Jenkins agent: Docker image openjdk:8-stretch + Swarm-Client 3.17 plugin
      Hashicorp Vault: Docker image vault:latest

      My Jenkins master is running Debian 9 with Jenkins 2.208, Git-plugin 4.0.0 and Hashicorp-vault-plugin 3.0.0. My Jenkins agent is running Debian 9 with Swarm-client plugin 3.17. My master is set to 0 executors so that all jobs run on the agent. I have my Bitbucket credentials saved in Jenkins 3 times - "Username with password", "Vault Username-Password Credential" with K/V engine 1 and "Vault Username-Password Credential" with K/V engine 2.

      I have a test freestyle job that does nothing except fetch a Git repository from https://bitbucket.org/... If set the job's Git credentials to use the "Username with password" credentials then the agent successfully fetches the repository. If I use either of the "Vault Username-Password Credential" credentials then the agent fails on the command "git fetch --tags --progress ..." with "remote: Invalid username or password"

      In a pipeline job with script from SCM, the master is able to fetch the repository with all 3 credential types but the agent can only fetch when using "Username with password" credentials - it is unable to fetch with "Vault Username-Password Credential" credentials.

      Bitbucket usernames are email addresses so they contain "@" special character. In Vault I have tried URL encoding the username to "user%40domain.com" but this causes the master to also fail with invalid username.

          [JENKINS-60440] Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username

          Gordon Li created issue -
          Mark Waite made changes -
          Assignee Original: Mark Waite [ markewaite ]
          Mark Waite made changes -
          Link New: This issue is related to JENKINS-39374 [ JENKINS-39374 ]
          Mark Waite made changes -
          Link New: This issue is related to JENKINS-59830 [ JENKINS-59830 ]
          Mark Waite made changes -
          Summary Original: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential New: Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username
          Mark Waite made changes -
          Link New: This issue is related to JENKINS-59085 [ JENKINS-59085 ]
          Jibin Babu made changes -
          Attachment New: Screen Shot 2020-05-29 at 9.59.43 AM.png [ 51351 ]
          Jibin Babu made changes -
          Comment [ Hi, Same issue when we try to authenticate with Gitlab 

           Jenkins is unable to fetch secrets from Vault. We use pipeline plugin wherein we need to authenticate with Gitlab repo using username and password of our SCM (Gitlab)

           

           

          ERROR:

           

          FAILED to retrieve password key:
           java.lang.RuntimeException: com.datapipe.jenkins.vault.exception.VaultPluginException: Key password could not be found in path /path/to/secret ]

            Unassigned Unassigned
            elgordo Gordon Li
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: