Sling Academy
Home/DevOps/How to manage credentials and secrets in Jenkins

How to manage credentials and secrets in Jenkins

Last updated: February 03, 2024

Table of Contents

  1. Introduction
  2. Basic Credential Management
  3. Storing secrets in encrypted form
  4. Advanced Techniques
    1. Using Credential Store
    2. Credentials via Environment Variables
    3. Scripted Pipeline Credential Binding
  5. Best Practices
  6. Conclusion

Introduction

Jenkins is a powerful automation server used for continuous integration and delivery. It handles various sensitive information, such as passwords, API keys, and SSH keys, making credential management a significant concern. Jenkins provides several ways to securely manage this data, ensuring that your automation processes are both efficient and secure.

Managing credentials and secrets effectively in Jenkins is crucial for the security and efficiency of your CI/CD pipelines. In this comprehensive guide, we’ll explore various methods and best practices for credential management in Jenkins, from basic setup to advanced techniques.

Prerequisites

  • Jenkins instance (either Jenkins server or Jenkins on Cloud)
  • Basic understanding of Jenkins pipeline and job configuration

Basic Credential Management

Let’s start with the basics of adding and using credentials in Jenkins.

Adding Credentials:

// Navigate to Jenkins Dashboard
// Click on 'Credentials' > 'System' > 'Global credentials (unrestricted)'
// Click 'Add Credentials'
// Select the credential type (e.g., Username with password, SSH Key, Secret file, etc.)
// Fill in the required details and save

Using these credentials in your jobs and pipelines is straightforward.

// In a freestyle job
// In the 'Build Environment' section, select 'Use secret text(s) or file(s)'
// Add the credential by specifying its ID

// In a Jenkinsfile (Pipeline)
node {
  stage('Checkout') {
    checkout([$class: 'GitSCM', branches: [[name: '*/master']],
      userRemoteConfigs: [[credentialsId: 'your-credential-id', url: 'https://your.git.repo/']]])
  }
}

Storing secrets in encrypted form

For enhanced security, Jenkins allows storing secrets in an encrypted form using the Credential plugin. Below is how you can accomplish this.

// Install and configure the Credentials Binding Plugin
// During job configuration, use the plugin to inject encrypted credentials into the build environment

Example:

// In a Jenkinsfile
pipeline {
  agent any
  stages {
    stage('Build') {
      environment {
        SECRET_KEY = credentials('my-secret-key')
      }
      steps {
        sh 'echo $SECRET_KEY'
      }
    }
  }
}

Advanced Techniques

For complex projects, you may need more advanced techniques for managing credentials.

Using Credential Store

For enterprises using Jenkins at scale, organizing credentials in multiple domains through the Credentials Store can be beneficial.

// Navigate to 'Jenkins' > 'Manage Jenkins' > 'Manage Credentials'
// You can create new credentials within specific stores and domains for better organization

Credentials via Environment Variables

Integrating credentials into Jenkins pipelines through environment variables is a flexible way to manage secrets.

pipeline {
  agent any
  stages {
    stage('Environment') {
      environment {
        API_KEY = credentials('api-key')
      }
      steps {
        sh 'echo $API_KEY'
      }
    }
  }
}

Scripted Pipeline Credential Binding

For more granular control of credentials within scripted pipelines, you can bind credentials directly within the script.

node {
  withCredentials([usernamePassword(credentialsId: 'my-db-creds', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
    sh './db_script.sh $USERNAME $PASSWORD'
  }
}

Best Practices

While managing credentials in Jenkins, it’s crucial to follow best practices for security, such as:

  • Limiting credential scope to where they are needed
  • Regularly rotating secrets and credentials
  • Avoiding storing plain text credentials in source code
  • Using Jenkins’ Role-Based Access Control to restrict access to sensitive information

Conclusion

Credential and secret management in Jenkins is vital for maintaining the integrity and security of your CI/CD pipelines.

Next Article: An Introduction to Blue Ocean: The Jenkins UI

Previous Article: Jenkins: How to load external libraries into Pipeline

Series: Jenkins Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide