6

I am using a yaml file to configure a jenkins job, and I came across the feature inject-passwords (see here). However, this documentation neither describes on how to use the variable within the jenkins environment, nor what 'encrypted' password means (How to encrypt?). The link leading to the EnvInjectPlugin also does not have the required information.

Where can I find useful information/documentation? And why is this documentation so incomplete?

Context:

I want to inject passwords in a safe way into a jenkins job. In this jenkins job I want to use this password as a password to log in to an online service in order to test several aspects of that service. I need the test script to get that password (environment variable?) to be able to log in to a service.

Open questions not answered in the referenced documentation:

  • Where is the information that the Name of password (here) is the environment variable name?
  • Where is the information in how to encrypt the password: password (str) Encrypted password (see here)
Alex
  • 41,580
  • 88
  • 260
  • 469
  • As written in the documentation, the inject password will be available as environment variable. So you can simply reference it with $name. – Alexandre Cartapanis May 01 '19 at 14:29
  • can you provide a detailed explanation of what you are trying to achieve? – Mike May 01 '19 at 14:57
  • I want to inject paswords in a safe way into a jenkins job. In this jenkins job I want to use this password as a password to log in to an online service in order to test several aspects of that service. I need the test script to get that password (envionment variable?) to be able to log in to a service. – Alex May 02 '19 at 09:12

2 Answers2

2

The documentation for the password injection is not useable. Therefore I provide a complete example here.

First, you ned to get the encryped password.

  1. Go to the configuration part of a Jenkins Job that can be safely modified. For example the one you are currently trying to setup.
  2. In the "Build Environment" section, click on the "Inject passwords to the build as environment variables".
  3. Write your plain password with a dummy variable name and save the configuration. This step will encrypt the password behind the hood.
  4. Go to the "Job Config History" tab of the Job and look at the latest RAW XML configuration file. You will find in the XML your encrypted password that can be copied for the next step.

Second step, you need to put the password in the yaml file as follows:

wrappers:
     - inject-passwords:
        global: true
        mask-password-params: true
        job-passwords:
            - name: TEST_USER_PASSWORD
              password: '{AQAAABAAAAAQvsFFVkOmzr5WzEhX8OWuK7mizr5xzEhX8lGo2AGMVw8=}'
            - name: TEST_USER_PASSWORD2
              password: '{AQAAABAAAAAQvsFFVkOmzr5xzEhX8lGo2AcPGMVw8b8SflGo2AcPGMVw8=}'

Note: The password are in quotes AND in curly brackets.

Third step: In jenkins you can use the environment variables TEST_USER_PASSWORD and TEST_USER_PASSWORD2. These variables will contain the decrypted password, but when you print them out, jenkins will notice there is a password in the log, which jenkins will obfuscate.

Example:

Actual output

My password is jddfdjh44y98dyghsdgdgfdg

Jenkins log output

My password is [********]

You can print the content of the variable step-by-step to get the password (to check that it works).

Alex
  • 41,580
  • 88
  • 260
  • 469
1

In the documentation the author explains that the plugin "Inject passwords to the build as environment variables" and therefore, as pointed by Alexandre Cartapanis, are accessible as environment variables by their name ($password_name). This information is spreaded in two sites: in the YAML documentation they say that "Inject passwords to the build as environment variables. Requires the Jenkins EnvInject Plugin", the EnvInject Plugin page states that "Shared Objects plugin contributes to Envinject plugin that enables you to populate shared objects as environment variables". In this post you may find an example of attempting to access the variable by its name - which is available only in build time.

When stored, Jenkins makes sure passwords are encrypted. As long as I understand, will be decrypted just for the purpose of being passed as variable where required for the job - as would be done with any credential.

Some additional information regarding how EnvInject plugin works is provided on links to other related plugins, such as Shared Objects plugin

As long as you just use the password as environment variable and do not log its value, is safe to use it that way. Same approach or by refering to password's ID is used ex.: in Jenkins pipeline to access SCM credentials.

sashimi
  • 1,224
  • 2
  • 15
  • 23
  • Where is that written in which documentation? I cannot find that. Also, I do not find anywhere a description of HOW to encrypt the password! Please read my question again. – Alex May 03 '19 at 06:04
  • Just edited the answer above providing some more details. – sashimi May 03 '19 at 07:47
  • Thanks for the update - I guess we both agree the documentation is insufficient. And on the usability side - when I try to print out the password from within jenkins all I get is '[******]'. How to deal with that? I need the password in clear form so it can be put in a box on some website for testing? How to do that? I need to log in to some service, as mentioned in my question. But so far I still do not have the password... – Alex May 03 '19 at 11:15
  • It would be best if you can just provide a simple, complete and working example. And let me know whom to contact to complete the documentation. – Alex May 03 '19 at 11:22
  • I figured out that jenkins itself seems to obfuscate ever location in its log, when a string matches the password. However, when printing out the content of a variable character by character, I get the encrypted password again! Do I have to decrypt it myself? – Alex May 03 '19 at 12:34
  • I need to decrypt the password myself? And for that I need to get some master.key file? No thank you. – Alex May 03 '19 at 12:47