Jenkinsdevops~5 mins

Credentials plugin for secrets in Jenkins - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Managing passwords and secret keys safely is important to keep your projects secure. The Jenkins Credentials plugin helps you store and use these secrets without exposing them in your code or logs.

When you need to store a password for a database connection securely in Jenkins.

When your build process requires an API token that should not be visible in the pipeline code.

When you want to share SSH keys safely between Jenkins jobs without exposing them.

When you want to avoid hardcoding sensitive information in your Jenkinsfiles or scripts.

When multiple team members need access to the same secret but you want to control who can see or edit it.

Commands

This command adds a new secret credential to Jenkins using an XML file. It helps automate adding secrets without using the web interface.

Terminal

java -jar jenkins-cli.jar -s http://localhost:8080 create-credentials-by-xml system::system::jenkins _ < credentials.xml

Expected OutputExpected

Created credentials with ID 'my-secret-id'

→

-s - Specifies the Jenkins server URL

This command lists all credentials stored in Jenkins for the system scope, so you can verify your secret was added.

Terminal

java -jar jenkins-cli.jar -s http://localhost:8080 list-credentials system::system::jenkins _

Expected OutputExpected

ID: my-secret-id Description: My secret password

→

-s - Specifies the Jenkins server URL

This command runs a Groovy script on Jenkins that prints the secret stored in the environment variable MY_SECRET, showing how to access credentials in a script.

Terminal

echo 'echo $MY_SECRET' | java -jar jenkins-cli.jar -s http://localhost:8080 groovy =

Expected OutputExpected

mySuperSecretValue

→

-s - Specifies the Jenkins server URL

Key Concept

If you remember nothing else from this pattern, remember: store secrets securely in Jenkins Credentials and never hardcode them in your pipeline code.

Common Mistakes

Hardcoding passwords or tokens directly in Jenkinsfiles or scripts.

This exposes secrets in logs and source control, risking security breaches.

Use the Credentials plugin to store secrets and reference them securely in your pipeline.

Not setting correct permissions on credentials, allowing all users to see sensitive data.

Anyone with access can view or misuse the secrets, breaking security policies.

Set proper access controls and restrict who can view or modify credentials.

Using plain text files to import credentials without encryption.

Secrets can be exposed during transfer or storage if not encrypted.

Use Jenkins CLI with secure connections and encrypted storage for credentials.

Summary

Use Jenkins Credentials plugin to store secrets like passwords and tokens securely.

Add credentials via Jenkins CLI or web interface to avoid exposing secrets in code.

Access stored credentials in pipelines or scripts without hardcoding sensitive data.