Jenkinsdevops~5 mins

Credentials binding in pipelines in Jenkins - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you run automated tasks in Jenkins pipelines, you often need passwords or keys. Credentials binding lets you safely use these secrets without showing them in logs or code.

When your pipeline needs to access a private Git repository using a username and password.

When deploying an application that requires an API key or token.

When running tests that need database credentials.

When you want to avoid hardcoding sensitive information in your pipeline scripts.

When you want Jenkins to automatically clean up secrets after the pipeline finishes.

Config File - Jenkinsfile

Jenkinsfile

pipeline {
  agent any
  environment {
    MY_SECRET = credentials('my-secret-id')
  }
  stages {
    stage('Use Secret') {
      steps {
        echo "Using secret in a safe way"
        sh 'echo Secret is $MY_SECRET'
      }
    }
  }
}

This Jenkinsfile defines a pipeline that uses the credentials function to bind a secret stored in Jenkins with the ID my-secret-id to the environment variable MY_SECRET. This variable can then be used safely in the pipeline steps without exposing the secret in the code.

Commands

This command adds a new secret credential to Jenkins using an XML file. It stores the secret securely with an ID you can reference in pipelines.

Terminal

jenkins-cli create-credentials-by-xml system::system::jenkins _ < credentials.xml

Expected OutputExpected

Created credentials with ID my-secret-id

→

system::system::jenkins - Specifies the Jenkins system scope for the credentials

This command starts the Jenkins pipeline named 'my-pipeline' which uses the bound credentials in its steps.

Terminal

jenkins-cli build my-pipeline

Expected OutputExpected

Started build #1 for job my-pipeline

This command shows the console output of the first build of 'my-pipeline' to verify the secret was used without being exposed.

Terminal

jenkins-cli console my-pipeline 1

Expected OutputExpected

[Pipeline] echo Using secret in a safe way [Pipeline] sh + echo Secret is ******** Secret is ******** [Pipeline] End of Pipeline

Key Concept

If you remember nothing else from this pattern, remember: credentials binding lets you use secrets safely in pipelines without exposing them in logs or code.

Common Mistakes

Hardcoding secrets directly in the Jenkinsfile or pipeline script.

This exposes sensitive information in the code repository and logs, risking leaks.

Store secrets in Jenkins credentials and bind them using the credentials function in the pipeline.

Referencing a credential ID that does not exist or is misspelled.

The pipeline will fail because it cannot find the secret to bind.

Double-check the credential ID in Jenkins and use the exact ID in the pipeline.

Printing the secret variable directly in pipeline logs.

This reveals the secret in the build logs, defeating the purpose of binding.

Use the secret only in commands or scripts that do not print it, or mask it in logs.

Summary

Add secrets to Jenkins using the credentials store with a unique ID.

Bind these credentials in your Jenkinsfile using the credentials function to environment variables.

Use the bound variables safely in pipeline steps without exposing secrets in logs.