Hiding passwords in Jenkins Pipeline log output without using WithCredentials
Solution 1
I think you are looking for JENKINS-36007?
Solution 2
Actually I don't know why this didn't work in the first place, but here is the solution to the problem.
Define an array with secrets that you want to hide like this:
def splunkPassword = 'verySecretPa55w0rd'
def basicAuthPassword = 'my8asicAuthPa55w0rd'
def getSecrets() {
[
[password: splunkPassword, var: 'SECRET'],
[password: basicAuthPassword, var: 'SECRET']
]
}
Disclaimer: I don't know whether the SECRET
value has an important role, copy and pasted it from some snippet and it works as expected :)
Afterwards, you can wrap any calls in your scripted pipeline like this:
node {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: getSecrets()]) {
stage 'First Stage' { ... }
stage 'Second Stage' { ... }
}
}
All passwords provided in the getSecrets()
array will then be masked like this in your build output:
SPLUNK_PASSWORD: ********
BASIC_AUTH_ADMIN_PASSWORD: ********
Solution 3
Update 26 May 2020
The workaround below stopped working for me recently. My guess is that something changed in a recent Jenkins update. I was trying to avoid installing another plugin, but I eventually gave up and installed the Mask Passwords plugin.
I used the following syntax for use with parameters:
parameters {
string(name: 'USERNAME', defaultValue: '', description: 'Username')
password(name: 'PASSWORD', defaultValue: '', description: 'Password')
}
Then in the build stage:
steps {
script {
wrap([$class: 'MaskPasswordsBuildWrapper',
varPasswordPairs: [
[password: "${USERNAME}", var: 'USR'],
[password: "${PASSWORD}", var: 'PSW']
]
]) {
sh '''
echo "Username: ${USERNAME}"
echo "Password: ${PASSWORD}"
'''
}
}
}
The original workaround is below, in case anyone else tries to go down the same path.
I've discovered a workaround that is a bit of a hack, but seems to work well. The trick is to use withCredentials
, but override the variable with a parameter.
Here's an example which uses the environment directive's credentials()
helper method to populate an environment variable, then overrides the two additional environment variables that are automatically defined (and masked in the logs).
First, create a dummy Username with password
Credentials. The Username
and Password
values don't matter, we just need a Credential to use as a placeholder. Enter an ID such as dummy-credentials
.
Then define an environment variable using the dummy credentials, and override the automatically defined variables with the parameters (MYUSERNAME
and MYPASSWORD
in this example):
environment {
MY_CREDS = credentials('dummy-credentials')
MY_CREDS_USR = "${params.MYUSERNAME}"
MY_CREDS_PSW = "${params.MYPASSWORD}"
}
Use the MY_CREDS_USR
and MY_CREDS_PSW
environment variables wherever you need to reference the secrets. Their contents will be masked in the console log.
sh '''
echo "Username: ${MY_CREDS_USR}"
echo "Password: ${MY_CREDS_PSW}"
'''
Solution 4
You might have a look at https://github.com/jenkinsci/log-file-filter-plugin
This plugin allows filtering Jenkins' console output by means of regular expressions. If some pattern matches the matched string is replaced by a string that can be specified for each pattern in the configuration.
Currently the plugin doesn't support adding filter-patterns from a jenkinsfile but only from the Jenkins global settings.
Michael Lihs
Infrastructure consultant at Thoughtworks Infrastructure as Code with Terraform, Pulumi & tons of bash Build and test automation Backend development (recently Golang, Python) Previously: Robert Bosch GmbH, punkt.de GmbH University of Karlsruhe
Updated on June 21, 2022Comments
-
Michael Lihs almost 2 years
I have a parametrized Jenkins pipeline based on a
Jenkinsfile
. Some of the parameters contain sensitive passwords that I don't want to appear in the job's build logs.So my question is: can I somehow register a String within the
Jenkinsfile
that is then replaced - by let's say**********
- whenever it appears in the log output?I am aware of the
withCredentials
step, but I can't use it, since the credentials are not stored in the Jenkins credentials store (but provided as parameters at runtime).I found this answer here https://stackoverflow.com/a/42372859/1549950 and tried it like this:
def secrets = [ [password: firstPassword, var: 'SECRET'], [password: secondPassword, var: 'SECRET'], [password: thirdPassword, var: 'SECRET'] ] node() { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: secrets]) { // my stages containing steps... } }
Where
firstPassword
,secondPassword
,thirdPassword
are variables containing my passwords. But still I get the content offirstPassword
... displayed plain text in the log output.I have the Mask Password plugin installed on my Jenkins in version 2.12.0.
Basically I am searching for something like this: https://issues.jenkins-ci.org/browse/JENKINS-27486 - ticket is resolved, but no sample snippet of final implementation is given.