2

I am trying to access AWS credentials provided via a parameter in my pipeline job.

I have a pipeline job where I am using an AWS credentials parameter defined like this:

credentials ( credentialType: 'com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl', defaultValue: 'jenkins-deploy-proj', description: ''' My description ''', name: 'AWS_ACCOUNT' )

I got that via "Pipeline Syntax > Declarative Directive Generator > Parameters" in the Jenkins UI.

I need to access those credentials later in the in the job. From other discussions it seems to be that I should use a withCredentials block to access the credentials , so I tried this

script { withCredentials([[ $class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY', credentialsId: "${params.AWS_ACCOUNT}" ]]) { sh 'bash myscript.sh' } }

I got that via "Pipeline Syntax > Snippet Generator > withCredentials" in the Jenkins UI.

The pipeline runs fine with the default credentials (which are accessible to all users) but when I attempt to use my personal credentials (still in the global domain) I get an error from Jenkins telling me that the credentials don't exist:

ERROR: Could not find credentials entry with ID '557ff283-70f3-402b-b065-fb4c9f28305e'

I can use those same credentials as a parameter in other (non-pipeline) Jenkins jobs configured like this, and they work fine:

parameter definition parameter binding

I did make take an extra step to make sure the problem wasn't just with that one credential object by creating a new credential object, but I got the same Could not find credentials entry with ID error.

Improve this question
4
  • It sounds as if your credentials have not been added to the list in the credentials plugin settings for AWS. Commented Sep 1, 2020 at 20:36
  • Is that setting specific to pipeline jobs? I'll check on that, but it seems strange that non-pipeline jobs would not require that setting, while pipeline jobs do. Commented Sep 1, 2020 at 21:13
  • Pipelines can also use plain text credentials, but that has security implications. Commented Sep 2, 2020 at 11:40
  • True. The reason I'm using user-scoped credentials here is because we want to lock down who can run a job in a given environment based on whether they can provide the necessary credentials. So a shared set of credentials (or plaintext credentials) doesn't help too much. Also the "shared credentials" scenario already works without modifications. Commented Sep 2, 2020 at 14:13

1 Answer 1

Reset to default
3

I was able to reach out to CloudBees support (they provide tools and services on top of Jenkins) who mentioned a change introduced in JENKINS-58170 which allows credentials to be accessed using the name of the credentials parameter as the id. This is the solution mentioned in this CloudBees article about using user scoped credentials in pipeline jobs. In this case the solution would have looked like:

script { withCredentials([[ $class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY', credentialsId: 'AWS_ACCOUNT' ]]) { sh 'bash myscript.sh' } }

This will likely work for many Jenkins users.

These improvements, however, came in with version 2.3 of the credentials plugin. Since we were running an older version of the plugin, this capability was not available.

Instead, we had to use the "special syntax" mentioned on JENKINS-58170: credentialsId: '${credentialsParameterName}'. Note that the single quotes are important here! From the ticket:

user-scoped credentials are currently only looked up if the credential id is provided using the former template syntax

That is, the '{userScopedCredsParameterName}' syntax.

So final working pipeline definition looked like this:

script { withCredentials([[ $class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY', credentialsId: '${AWS_ACCOUNT}' ]]) { sh 'bash myscript.sh' } }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.