Need a way to hide credentials from the command line
The only way to pass credentials is by specifying them on the command line, whether it’s the password or the token. The command line can be seen in the process list, exposing the credentials to other users on the system.
I’d like to have a way to load the credentials from a file. Alternatively, the credentials could be read from the environment without being specified on the command line.
Comments (4)
-
-
reporter That would work, thank you! Any chance you could document it?
-
I am a regular user like yourself. Let’s hope that the maintainers notice this issue
-
reporter I see. Thank you for your reply!
I was able to make it work. I don’t use a POM, as the project is not Java-based. However, properties can be added to the settings file, and they will be seen by the plugin:
<?xml version="1.0" encoding="UTF-8"?> <settings> <profiles> <profile> <id>with-atlassian-repo</id> <properties> <bitbucket.token>${BITBUCKET_TOKEN}</bitbucket.token> </properties> <pluginRepositories> <pluginRepository> <id>atlassian-repo</id> <url>https://packages.atlassian.com/mvn/maven-external/</url> <releases> <enabled>true</enabled> <checksumPolicy>warn</checksumPolicy> </releases> </pluginRepository> </pluginRepositories> </profile> </profiles> <activeProfiles> <activeProfile>with-atlassian-repo</activeProfile> </activeProfiles> </settings>
Then I can substitute the value in Jenkins by using envsubst and passing the processed file to Maven. One important consideration is to have the substituted credentials only in the file that Jenkins would remove even if the shell script fails.
stage("Publish coverage to Bitbucket") { environment { BITBUCKET_TOKEN = credentials("jenkins-coverage-token") } steps { configFileProvider([configFile(fileId: "atlassian-maven-settings", variable: "MAVEN_SETTINGS")]) { sh """ # Substitute token in the Maven settings file. Make sure # that the expanded token only appears in the file that # will be cleaned up automatically. mv -f ${env.MAVEN_SETTINGS} ${env.MAVEN_SETTINGS}.tmp envsubst < ${env.MAVEN_SETTINGS}.tmp > ${env.MAVEN_SETTINGS} rm -f ${env.MAVEN_SETTINGS}.tmp mvn com.atlassian.bitbucket:code-coverage-maven-plugin:3.2.2:publish \ --batch-mode \ --settings ${env.MAVEN_SETTINGS} \ -Dbitbucket.url=${env.BITBUCKET_URL} \ -Dbitbucket.commit.id=${env.GIT_COMMIT} \ -Dcoverage.format=COBERTURA \ -Dcoverage.file=CoverageReport.xml """ } } }
- Log in to comment
Instead of setting properties in the command line, you can set them in POM: