How to store aws credentials jenkins

JenkinsHow-ToBeginner · 4 min read

How to Store AWS Credentials in Jenkins Securely

Store AWS credentials in Jenkins using the Credentials Plugin. Add your AWS Access Key ID and Secret Access Key as a Username with password credential or Secret text, then reference them in your Jenkins pipeline with withCredentials to keep them secure.

📐

Syntax

Use Jenkins Credentials Plugin to store AWS credentials securely. The common types are:

Username with password: Store AWS Access Key ID as username and Secret Access Key as password.
Secret text: Store a single secret like AWS session token.

In a Jenkins pipeline, use withCredentials to access these securely:

withCredentials([usernamePassword(credentialsId: 'aws-creds-id', usernameVariable: 'AWS_ACCESS_KEY_ID', passwordVariable: 'AWS_SECRET_ACCESS_KEY')]) {
  // your AWS commands here
}

groovy

withCredentials([usernamePassword(credentialsId: 'aws-creds-id', usernameVariable: 'AWS_ACCESS_KEY_ID', passwordVariable: 'AWS_SECRET_ACCESS_KEY')]) {
  // AWS CLI commands or SDK usage
}

💻

Example

This example shows how to store AWS credentials in Jenkins and use them in a pipeline to list S3 buckets.

groovy

pipeline {
  agent any
  stages {
    stage('List S3 Buckets') {
      steps {
        withCredentials([usernamePassword(credentialsId: 'aws-creds', usernameVariable: 'AWS_ACCESS_KEY_ID', passwordVariable: 'AWS_SECRET_ACCESS_KEY')]) {
          sh '''
            aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
            aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
            aws s3 ls
          '''
        }
      }
    }
  }
}

Output

2024-06-01 12:00:00 bucket-one 2024-06-01 12:00:00 bucket-two 2024-06-01 12:00:00 bucket-three

⚠️

Common Pitfalls

Storing AWS credentials directly in pipeline scripts or environment variables exposes secrets.
Using plain text files or hardcoding keys risks leaks.
Not using Jenkins Credentials Plugin leads to poor security.
Forgetting to reference the correct credentialsId causes pipeline failures.

Always use withCredentials to inject secrets safely.

groovy

/* Wrong way: Hardcoding credentials in pipeline */
pipeline {
  agent any
  environment {
    AWS_ACCESS_KEY_ID = 'AKIA...'
    AWS_SECRET_ACCESS_KEY = 'secret'
  }
  stages {
    stage('Run AWS Command') {
      steps {
        sh 'aws s3 ls'
      }
    }
  }
}

/* Right way: Using Jenkins Credentials Plugin */
pipeline {
  agent any
  stages {
    stage('Run AWS Command') {
      steps {
        withCredentials([usernamePassword(credentialsId: 'aws-creds', usernameVariable: 'AWS_ACCESS_KEY_ID', passwordVariable: 'AWS_SECRET_ACCESS_KEY')]) {
          sh 'aws s3 ls'
        }
      }
    }
  }
}

📊

Quick Reference

Store credentials: Jenkins Dashboard > Credentials > System > Global credentials > Add Credentials
Type: Username with password (AWS Access Key ID and Secret Access Key)
Use in pipeline: withCredentials block with usernamePassword binding
Never: Hardcode secrets in scripts or environment variables

✅

Key Takeaways

Always store AWS credentials in Jenkins Credentials Plugin, never in plain text.

Use withCredentials in pipelines to access AWS keys securely.

Choose 'Username with password' type for AWS Access Key ID and Secret Access Key.

Avoid hardcoding or exposing credentials in pipeline scripts or logs.

Verify the correct credentialsId is used to prevent pipeline errors.