8

In Jenkinsfile, I want to make an ssh key visible to all stages in the pipeline.

From the official document, I learned that:

  1. environment directive is used to defy environment variables for used within Jenkinsfile
  2. The scope of the variables defined depends on the placement of the environment directive
  3. One can set the some types of credentials insideenvironment directive with the help of the credentials helper
  4. The types of credentials supported by the helper are:
    • Secret text
    • Usernames and passwords
    • Secret files

For other types of credentials, the document suggests using the snippet generator, which generates a step.

Example of an ssh key step

withCredentials([sshUserPrivateKey(credentialsId: 'jenkins_aws_to_bitbucket', keyFileVariable: 'BITBUCKET_PRV_KEY')]) { // some block }

This is meant to be used in a stage like:

pipeline { agent { // define agent details } stages { stage('Example stage 1') { steps { withCredentials(bindings: [sshUserPrivateKey(credentialsId: 'jenkins-ssh-key-for-abc', \ keyFileVariable: 'SSH_KEY_FOR_ABC')]) { // } withCredentials(bindings: [certificate(credentialsId: 'jenkins-certificate-for-xyz', \ keystoreVariable: 'CERTIFICATE_FOR_XYZ', \ passwordVariable: 'XYZ-CERTIFICATE-PASSWORD')]) { // } } } stage('Example stage 2') { steps { // } } } }

Snippet source

Question

  1. If the steps are within a stage, are these credentials visible within other stages?
  2. If not, how to make these credentials global ~ visible within all stages
Improve this question

2 Answers 2

Reset to default
8

The credentials will only be visible within the block passed to withCredentials, not outside of that. So, no, your credentials will not be visible to other stages. To make your credentials visible to your entire Pipeline:

  • If you are using Declarative Pipelines, you can put your credentials in an environment{} block at the top of your Pipeline, as documented in the official Jenkins handbook:

    pipeline { agent { // Your agent here } environment { MY_ENVIRONMENT_VARIABLE = credentials('my-credentials-id') } stages { // Your stages here } }

  • If you use Scripted Pipelines, you can wrap your entire job in withCredentials. This is not possible with Declarative.

Improve this answer
2
  • Number 2 might have been correct at the time the answer was posted, but it absolutely is not correct at the time of this comment. An environment{} block with the credentials() method provides an implicit global withCredentials Commented May 5, 2023 at 21:04
  • @KenRachynski I looked it up, and support for credentials in the environment{} block was added in April 2017, which is before I wrote this answer, but it seems to have been poorly documented at the time, especially compared to the withCredentials step which well predates Jenkins Pipelines. I'm editing my answer to improve its accuracy. Commented May 11, 2023 at 23:04
4

I set credential globally in declarative pipeline like this and then my Jenkins could talk with Google Dataflow in all stages. For example, I used a secret file (google service account). 

  pipeline { agent any environment { //Secret File ID was defined in Jenkins -> Credentials -> System -> Global credentials GOOGLE_APPLICATION_CREDENTIALS = credentials('mySecretFileId') GCP_PROJECT_NAME = 'myProject' } stages { stage('step 1') { steps { sh "gcloud auth activate-service-account --key-file ${env.GOOGLE_APPLICATION_CREDENTIALS}" sh "gcloud config set project ${env.GCP_PROJECT_NAME}" // access google dataflow sh "gcloud dataflow jobs list --status=active" // .... } } stage('stage 2') { steps { // access google dataflow sh "gcloud dataflow jobs list --status=active" } } //... } }
Improve this answer
1
  • Best answer for this question. Commented Jul 2, 2021 at 7:53

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.