Hiding passwords in Jenkins Pipeline log output without using WithCredentials

11,775

Solution 1

I think you are looking for JENKINS-36007?

Solution 2

Actually I don't know why this didn't work in the first place, but here is the solution to the problem.

Define an array with secrets that you want to hide like this:

def splunkPassword = 'verySecretPa55w0rd'
def basicAuthPassword = 'my8asicAuthPa55w0rd'

def getSecrets() {
    [
            [password: splunkPassword, var: 'SECRET'],
            [password: basicAuthPassword, var: 'SECRET']
    ]
}

Disclaimer: I don't know whether the SECRET value has an important role, copy and pasted it from some snippet and it works as expected :)

Afterwards, you can wrap any calls in your scripted pipeline like this:

node {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: getSecrets()]) {
        stage 'First Stage' { ... }
        stage 'Second Stage' { ... }
    }
}

All passwords provided in the getSecrets() array will then be masked like this in your build output:

SPLUNK_PASSWORD: ********
BASIC_AUTH_ADMIN_PASSWORD: ********

Solution 3

Update 26 May 2020

The workaround below stopped working for me recently. My guess is that something changed in a recent Jenkins update. I was trying to avoid installing another plugin, but I eventually gave up and installed the Mask Passwords plugin.

I used the following syntax for use with parameters:

parameters {
    string(name: 'USERNAME', defaultValue: '', description: 'Username')
    password(name: 'PASSWORD', defaultValue: '', description: 'Password')
}

Then in the build stage:

steps {
    script {
        wrap([$class: 'MaskPasswordsBuildWrapper',
              varPasswordPairs: [
                  [password: "${USERNAME}", var: 'USR'],
                  [password: "${PASSWORD}", var: 'PSW']
              ]
        ]) {
            sh '''
                echo "Username: ${USERNAME}"
                echo "Password: ${PASSWORD}"
            '''
        }
    }
}

The original workaround is below, in case anyone else tries to go down the same path.

I've discovered a workaround that is a bit of a hack, but seems to work well. The trick is to use withCredentials, but override the variable with a parameter.

Here's an example which uses the environment directive's credentials() helper method to populate an environment variable, then overrides the two additional environment variables that are automatically defined (and masked in the logs).

First, create a dummy Username with password Credentials. The Username and Password values don't matter, we just need a Credential to use as a placeholder. Enter an ID such as dummy-credentials.

Then define an environment variable using the dummy credentials, and override the automatically defined variables with the parameters (MYUSERNAME and MYPASSWORD in this example):

environment {
    MY_CREDS = credentials('dummy-credentials')
    MY_CREDS_USR = "${params.MYUSERNAME}"
    MY_CREDS_PSW = "${params.MYPASSWORD}"
}

Use the MY_CREDS_USR and MY_CREDS_PSW environment variables wherever you need to reference the secrets. Their contents will be masked in the console log.

sh '''
    echo "Username: ${MY_CREDS_USR}"
    echo "Password: ${MY_CREDS_PSW}"
'''

Solution 4

You might have a look at https://github.com/jenkinsci/log-file-filter-plugin

This plugin allows filtering Jenkins' console output by means of regular expressions. If some pattern matches the matched string is replaced by a string that can be specified for each pattern in the configuration.

Currently the plugin doesn't support adding filter-patterns from a jenkinsfile but only from the Jenkins global settings.

View more solutions

11,775

Author by

Michael Lihs

Infrastructure consultant at Thoughtworks Infrastructure as Code with Terraform, Pulumi & tons of bash Build and test automation Backend development (recently Golang, Python) Previously: Robert Bosch GmbH, punkt.de GmbH University of Karlsruhe

Updated on June 21, 2022

Comments

Michael Lihs almost 2 years
I have a parametrized Jenkins pipeline based on a Jenkinsfile. Some of the parameters contain sensitive passwords that I don't want to appear in the job's build logs.

So my question is: can I somehow register a String within the Jenkinsfile that is then replaced - by let's say ********** - whenever it appears in the log output?

I am aware of the withCredentials step, but I can't use it, since the credentials are not stored in the Jenkins credentials store (but provided as parameters at runtime).

I found this answer here https://stackoverflow.com/a/42372859/1549950 and tried it like this:
```
def secrets = [
    [password: firstPassword, var: 'SECRET'],
    [password: secondPassword, var: 'SECRET'],
    [password: thirdPassword, var: 'SECRET']
]

node() {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: secrets]) {
        // my stages containing steps...
    }
}
```
Where firstPassword, secondPassword, thirdPassword are variables containing my passwords. But still I get the content of firstPassword... displayed plain text in the log output.

I have the Mask Password plugin installed on my Jenkins in version 2.12.0.

Basically I am searching for something like this: https://issues.jenkins-ci.org/browse/JENKINS-27486 - ticket is resolved, but no sample snippet of final implementation is given.