Credentials Binding Plugin

withCredentials: Bind credentials to variables

Allows various kinds of credentials (secrets) to be used in idiosyncratic ways. Each binding will define an environment variable active within the scope of the step. You can then use them directly from any other steps that expect environment variables to be set:

node {
  withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
    sh '''
      set +x
      curl -u $USERPASS https://private.server/ > output
    '''
  }
}

As another example (use Snippet Generator to see all options):

node {
  withCredentials([string(credentialsId: 'mytoken', variable: 'TOKEN')]) {
    sh '''
      set +x
      curl -H "Token: $TOKEN" https://some.api/
    '''
  }
}

or retrieve values from Groovy code via the env magic variable:

def password = env.PASSWORD

Note that some steps explicitly ask for credentials of a particular kind, usually as a credentialsId parameter, in which case this step is unnecessary.

For bindings which store a secret file, beware that

node {
  dir('subdir') {
    withCredentials([file(credentialsId: 'secret', variable: 'FILE')]) {
      sh 'use $FILE'
    }
  }
}

is not safe, as $FILE might be inside the workspace (in subdir@tmp/secretFiles/), and thus visible to anyone able to browse the job’s workspace. If you need to run steps in a different directory than the usual workspace, you should instead use

node {
  withCredentials([file(credentialsId: 'secret', variable: 'FILE')]) {
    dir('subdir') {
      sh 'use $FILE'
    }
  }
}

to ensure that the secrets are outside the workspace; or choose a different workspace entirely:

node {
  ws {
    withCredentials([file(credentialsId: 'secret', variable: 'FILE')]) {
      sh 'use $FILE'
    }
  }
}
bindings

Array/List

Nested Choice of Objects $class: AmazonWebServicesCredentialsBinding

Sets one variable to the AWS access key and another one to the secret key given in the credentials.
accessKeyVariable
Environment variable name for the AWS Access Key Id. If empty, AWS_ACCESS_KEY_ID will be used.

Type: String

secretKeyVariable
Environment variable name for the AWS Secret Access Key. If empty, AWS_SECRET_ACCESS_KEY will be used.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: AwsBucketCredentialsBinding

Does something.
usernameVariable

Type: String

passwordVariable

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: AzureCredentialsBinding credentialsId:::

+

Credentials of an appropriate type to be set to the variable.

Type: String

clientIdVariable (optional)

Type: String

clientSecretVariable (optional)

Type: String

subscriptionIdVariable (optional)

Type: String

tenantIdVariable (optional)

Type: String

$class: AzurePublisherSettingsBinding

Set a variable to point to Azure Publisher Settings file.
variable
Name of an environment variable to be set during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: CertificateMultiBinding

Sets one variable to the username and one variable to the password given in the credentials.
Warning: if the master or slave node has multiple executors, any other build running concurrently on the same node will be able to read the text of the secret, for example on Linux using ps e.
keystoreVariable
Name of an environment variable to be set to the temporary keystore location during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

aliasVariable (optional)
Name of an environment variable to be set to the keystore alias name of the certificate during the build.

Type: String

passwordVariable (optional)
Name of an environment variable to be set to the password during the build.

Type: String

$class: DockerServerCredentialsBinding variable:::

+

Name of an environment variable to be set during the build.
Its value will be the absolute path of the directory where the {ca,cert,key}.pem files will be created.
You probably want to call this variable DOCKER_CERT_PATH, which will be understood by the docker client binary.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: FileBinding

Copies the file given in the credentials to a temporary location, then sets the variable to that location. (The file is deleted when the build completes.)
Warning: if the master or slave node has multiple executors, any other build running concurrently on the same node will be able to read the contents of this file.
variable
Name of an environment variable to be set during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: StringBinding

Sets a variable to the text given in the credentials.
Warning: if the master or slave node has multiple executors, any other build running concurrently on the same node will be able to read the text of the secret, for example on Linux using ps e.
variable
Name of an environment variable to be set during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: UsernamePasswordBinding

Sets a variable to the username and password given in the credentials, separated by a colon ( :).
Warning: if the master or slave node has multiple executors, any other build running concurrently on the same node will be able to read the text of the secret, for example on Linux using ps e.
variable
Name of an environment variable to be set during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: UsernamePasswordMultiBinding

Sets one variable to the username and one variable to the password given in the credentials.
Warning: if the master or slave node has multiple executors, any other build running concurrently on the same node will be able to read the text of the secret, for example on Linux using ps e.
usernameVariable
Name of an environment variable to be set to the username during the build.

Type: String

passwordVariable
Name of an environment variable to be set to the password during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String

$class: ZipFileBinding

Unpacks the ZIP file given in the credentials to a temporary directory, then sets the variable to that location. (The directory is deleted when the build completes.)
Warning: if the master or slave node has multiple executors, any other build running concurrently on the same node will be able to read the contents of this directory.
variable
Name of an environment variable to be set during the build.

Type: String

credentialsId
Credentials of an appropriate type to be set to the variable.

Type: String