Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38963

User-scoped credentials cannot be looked up in pipeline

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      It's possible to look-up User-scoped credentials in Freestyle jobs with Bindings. The same seems not to work in pipeline jobs.

      node {
          withCredentials([[$class          : 'UsernamePasswordMultiBinding', credentialsId: 'bc047678-37b8-4747-95d8-c1a8b3df51a6',
                            usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
              echo "${env.USERNAME}"
          }
      }
      
      org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: bc047678-37b8-4747-95d8-c1a8b3df51a6
      	at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:124)
      	at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:68)
      	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:92)
      

      Plugin versions:
      credentials-binding: 1.9
      credentials: 2.1.5

        Attachments

          Issue Links

            Activity

            Hide
            cchapman Clint Chapman added a comment -

            I've tried #2 where I have admin priviledges setup in the global security using matrix based security and am selecting the credential in a parameter - but when I run the job, I still get:
            org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: cchapman
            at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:153)

            Show
            cchapman Clint Chapman added a comment - I've tried #2 where I have admin priviledges setup in the global security using matrix based security and am selecting the credential in a parameter - but when I run the job, I still get: org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: cchapman at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:153)
            Hide
            aarondav Aaron Davidson added a comment -

            We are seeing a similar issue. I tried using #1 with AuthorizedProject and running as the user's own credentials, but it cannot look up credentials in the Global scope of that user anyway.

            I also tried #2 where the credentials are selected by the user, but still get a CredentialNotFound.

            Using credentials-binding:1.11, authorize-project:1.3.0, credentials:2.1.13.

            Closest workaround right now that seems to work is to use the Folders plugin to apply credentials at the folder level rather than the user level, but it's not ideal.

            Show
            aarondav Aaron Davidson added a comment - We are seeing a similar issue. I tried using #1 with AuthorizedProject and running as the user's own credentials, but it cannot look up credentials in the Global scope of that user anyway. I also tried #2 where the credentials are selected by the user, but still get a CredentialNotFound. Using credentials-binding:1.11, authorize-project:1.3.0, credentials:2.1.13. Closest workaround right now that seems to work is to use the Folders plugin to apply credentials at the folder level rather than the user level, but it's not ideal.
            Hide
            bcohen Benjamin Cohen Solal added a comment - - edited

            I've created a job with the following lines on pipeline :

            sshagent(['7349b914-da60-441e-b847-1ede672b6bbe']) {
                // some block
            }

            The above credentials are scoped inside my user.

            When activating the "run as user who triggered build" option, I have the following error :

            17:53:27 FATAL: [ssh-agent] Could not find specified credentials

            But when activating the "run as specific user" and specifying my own username, I get the following line :

            17:52:51 [ssh-agent] Using credentials bcohen (My SSH private key)

            I really don't understand why the options "Run as specific user: bcohen" and "Run as user who triggered build" produce a different result when in these two cases, I'm the user who trigger the build.

            Using credentials-binding:1.12, authorize-project:1.3.0, credentials:2.1.14.

            Show
            bcohen Benjamin Cohen Solal added a comment - - edited I've created a job with the following lines on pipeline : sshagent([ '7349b914-da60-441e-b847-1ede672b6bbe' ]) { // some block } The above credentials are scoped inside my user. When activating the "run as user who triggered build" option, I have the following error : 17:53:27 FATAL: [ssh-agent] Could not find specified credentials But when activating the "run as specific user" and specifying my own username, I get the following line : 17:52:51 [ssh-agent] Using credentials bcohen (My SSH private key) I really don't understand why the options "Run as specific user: bcohen" and "Run as user who triggered build" produce a different result when in these two cases, I'm the user who trigger the build. Using credentials-binding:1.12, authorize-project:1.3.0, credentials:2.1.14.
            Hide
            b_dean Ben Dean added a comment -

            Stephen Connolly's method #2 does seem to work for me. Here's an example pipeline.

            properties([
                parameters([
                    credentials(name: 'creds_param', credentialType: 'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl', required: true)
                ])
            ])
            
            
            stage('example'){
                node {
                    withCredentials([string(credentialsId: '${creds_param}', variable: 'SECRET')]) {
                        sh 'echo $SECRET'
                    }
                }
            }
            

            Note that the single quotes around '${creds_param}' is not a mistake. The CredentialsProvider.findCredentalById method specifically looks to see if the id starts with ${ and ends with }. See https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java#L882

            This makes it so user creds selected as build params work in the withCredentials pipeline step. That's not really enough for my problems because I want to use parameters from an input step, but that's maybe a different issue. Thought I'd share this.

            Show
            b_dean Ben Dean added a comment - Stephen Connolly 's method #2 does seem to work for me. Here's an example pipeline. properties([ parameters([ credentials(name: 'creds_param' , credentialType: 'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl' , required: true ) ]) ]) stage( 'example' ){ node { withCredentials([string(credentialsId: '${creds_param}' , variable: 'SECRET' )]) { sh 'echo $SECRET' } } } Note that the single quotes around '${creds_param}' is not a mistake. The CredentialsProvider.findCredentalById method specifically looks to see if the id starts with ${ and ends with } . See https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java#L882 This makes it so user creds selected as build params work in the withCredentials pipeline step. That's not really enough for my problems because I want to use parameters from an input step, but that's maybe a different issue. Thought I'd share this.
            Hide
            jglick Jesse Glick added a comment -

            Well that is surprising, to say the least. Would need to be emphasized in inline help for the credentials parameter type.

            Show
            jglick Jesse Glick added a comment - Well that is surprising, to say the least. Would need to be emphasized in inline help for the credentials parameter type.

              People

              • Assignee:
                Unassigned
                Reporter:
                vehovmar Martin Vehovsky
              • Votes:
                25 Vote for this issue
                Watchers:
                25 Start watching this issue

                Dates

                • Created:
                  Updated: