Hiding passwords in Jenkins Pipeline log output without using WithCredentials
Actually I don't know why this didn't work in the first place, but here is the solution to the problem.
Define an array with secrets that you want to hide like this:
def splunkPassword = 'verySecretPa55w0rd'def basicAuthPassword = 'my8asicAuthPa55w0rd'def getSecrets() { [ [password: splunkPassword, var: 'SECRET'], [password: basicAuthPassword, var: 'SECRET'] ]}
Disclaimer: I don't know whether the SECRET
value has an important role, copy and pasted it from some snippet and it works as expected :)
Afterwards, you can wrap any calls in your scripted pipeline like this:
node { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: getSecrets()]) { stage 'First Stage' { ... } stage 'Second Stage' { ... } }}
All passwords provided in the getSecrets()
array will then be masked like this in your build output:
SPLUNK_PASSWORD: ********BASIC_AUTH_ADMIN_PASSWORD: ********
Update 26 May 2020
The workaround below stopped working for me recently. My guess is that something changed in a recent Jenkins update. I was trying to avoid installing another plugin, but I eventually gave up and installed the Mask Passwords plugin.
I used the following syntax for use with parameters:
parameters { string(name: 'USERNAME', defaultValue: '', description: 'Username') password(name: 'PASSWORD', defaultValue: '', description: 'Password')}
Then in the build stage:
steps { script { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [ [password: "${USERNAME}", var: 'USR'], [password: "${PASSWORD}", var: 'PSW'] ] ]) { sh ''' echo "Username: ${USERNAME}" echo "Password: ${PASSWORD}" ''' } }}
The original workaround is below, in case anyone else tries to go down the same path.
I've discovered a workaround that is a bit of a hack, but seems to work well. The trick is to use withCredentials
, but override the variable with a parameter.
Here's an example which uses the environment directive's credentials()
helper method to populate an environment variable, then overrides the two additional environment variables that are automatically defined (and masked in the logs).
First, create a dummy Username with password
Credentials. The Username
and Password
values don't matter, we just need a Credential to use as a placeholder. Enter an ID such as dummy-credentials
.
Then define an environment variable using the dummy credentials, and override the automatically defined variables with the parameters (MYUSERNAME
and MYPASSWORD
in this example):
environment { MY_CREDS = credentials('dummy-credentials') MY_CREDS_USR = "${params.MYUSERNAME}" MY_CREDS_PSW = "${params.MYPASSWORD}"}
Use the MY_CREDS_USR
and MY_CREDS_PSW
environment variables wherever you need to reference the secrets. Their contents will be masked in the console log.
sh ''' echo "Username: ${MY_CREDS_USR}" echo "Password: ${MY_CREDS_PSW}"'''