Credentials
Never store passwords, API tokens, or SSH keys in plain text in your Jenkinsfile. Jenkins Credentials securely stores secrets, and you can bind them to environment variables or use them directly in steps.
Adding Credentials in Jenkins
1. Go to "Manage Jenkins" → "Credentials" → "System" → "Global credentials".
2. Click "Add Credentials".
3. Choose a kind (e.g., "Username with password", "Secret text", "SSH key").
4. Fill in the details and give it an ID (e.g.,
github-token).Using Credentials in Declarative Pipeline
Use the
credentials() helper to bind a secret to an environment variable:pipeline {
environment {
GITHUB_TOKEN = credentials('github-token')
DOCKER_PASSWORD = credentials('docker-pass')
}
stages {
stage('Login') {
steps {
sh 'echo $GITHUB_TOKEN | docker login -u myuser --password-stdin'
}
}
}
}VAR_USR and VAR_PSW.Using Credentials in Scripted Pipeline
node {
withCredentials([string(credentialsId: 'github-token', variable: 'TOKEN')]) {
sh 'curl -H "Authorization: token $TOKEN" https://api.github.com/user'
}
}SSH Key Credentials
For SSH keys, you can use the
sshUserPrivateKey type. Bind them to a file variable:withCredentials([sshUserPrivateKey(credentialsId: 'deploy-key', keyFileVariable: 'SSH_KEY')]) {
sh 'ssh -i $SSH_KEY user@server command'
}Best Practices
- Never echo or print credentials.
- Use specific credentials per job, not global admin credentials.
- Rotate secrets regularly.
- Use the "Secret text" type for API tokens.
Two Minute Drill
- Store secrets in Jenkins Credentials, not in Jenkinsfile.
- Use
credentials('id')in environment block for declarative. - Use
withCredentialsfor scripted pipeline. - Never hard‑code secrets.
Need more clarification?
Drop us an email at career@quipoinfotech.com