How to add Jenkins credentials
Securing the credentials and secrets in continuous integration with Jenkins is essential. This article focuses on the vital aspects of managing these sensitive elements. We will explore different types of credentials and secrets and best practices to strengthen Jenkins setups by configuring different credential types to enforce access control and integrating external providers.
Table of contents
- What are Jenkins credentials?
- Types of Jenkins credentials
- Setting up Jenkins credentials
- Role-based access control (RBAC) for credentials
- Integration with external credential stores
- Pipeline security best practices
- Conclusion
What are Jenkins credentials?
Jenkins credentials are secure pieces of information stored within the Jenkins environment, facilitating the authentication and authorization processes necessary for seamless automation workflows. These credentials contain sensitive data, such as usernames, passwords, API keys, and SSH keys, tailored to diverse authentication requirements. Integral to secure configuration management, Jenkins credentials ensure the protection of confidential information during the execution of pipelines, enhancing the overall security and reliability of continuous integration and deployment processes.
Types of Jenkins credentials
Jenkins supports different types of credentials to meet the authentication requirements of automated workflows. The primary types include:
Username with password
Traditional credentials for authentication are commonly used for accessing version control systems or other secured resources. It is widely applicable but may require careful management due to its sensitive nature. Regularly updating and rotating passwords is essential to maintain high security. Additionally, consider implementing multi-factor authentication for an extra layer of protection.
SSH Username with private key
Ideal for secure access to systems via SSH, this credential type involves a username paired with a corresponding private key. It offers enhanced security and is prevalent in environments leveraging secure shell protocols. Ensure the private key is stored securely and implement critical rotation practices to mitigate the risk of unauthorized access. Additionally, restrict access to the private key to only authorized personnel.
Secret text
A versatile credential type for storing sensitive information such as API keys, tokens, or confidential data requires protection. This type is highly adaptable and suitable for various secure data storage needs. When using secret text, consider encrypting it and restricting access to only the necessary entities. Regularly audit and update stored secret texts to align with changing security requirements.
Certificate
Used for X.509 certificate-based authentication, this credential type is essential for securing connections in SSL/TLS-enabled environments. It ensures the integrity and authenticity of secure communication channels. Regularly update certificates to stay current with security standards and implement a certificate management strategy to avoid expired or compromised certificates. Consider using certificate authorities for added trust and security.
Perforce Password Credential
Designed explicitly for Perforce version control systems, this credential type involves a username paired with a corresponding password. It allows secure authentication when interacting with Perforce repositories. Enforce strong password policies and consider integrating with Perforce ticket-based authentication for an additional layer of security. Regularly review and update access permissions for Perforce credentials.
Perforce Ticket Credential
Tailored for Perforce environments, this credential type utilizes a ticket-based authentication mechanism. It enables Jenkins to access Perforce resources securely by leveraging authentication tickets rather than direct password input. Implementing a ticket-based system reduces exposure to password-related risks. Regularly review and invalidate unused tickets to maintain a secure Perforce integration.
Secret file
Suitable for scenarios where sensitive data must be stored in a file, the secret file credential type allows the secure storage of confidential information. This could include certificates, private keys, or other sensitive files required for various aspects of the build and deployment processes. When using secret files, employ strict access controls and encryption measures. Regularly audit file permissions and contents to ensure ongoing security compliance.
Setting up Jenkins credentials
Identifying Add Credential button
Log in to your Jenkins instance using your credentials. Navigate to the Jenkins home page or dashboard.
Look for the Manage Jenkins tab in the left-hand sidebar. This is the control center for Jenkins configuration.
In the Manage Jenkins menu, click the Credentials option.
This will direct you to a new credentials manager page, where you can see previously added and default credentials.
Under the Stores scoped to Jenkins tab, click on the System link.
Then, click the Global credentials (unrestricted) link on the new System page to access this default domain.
Identify and click on the Add Credentials button on the next page. This is the starting point for incorporating new credentials into your Jenkins environment. Here, you’ll be presented with various credential types designed to cater to specific authentication and security needs.
Configuration of the credential items
Choose the type of credentials to add from the Kind field. The options are Username with password, SSH Username with private key, Secret text, and more. Each type is tailored to different use cases, providing flexibility and adaptability.
Then, from the Scope field, choose either:
- Global – if the credential to be added is for a Pipeline project/item. Choosing this option applies the scope of the credential to the Pipeline project object and all its descendant objects.
- System – if the credential to be added is for the Jenkins instance to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential to a single object only.
For each credential type, there are specific fields that we have to configure:
Secret text – enter the secret text in the Secret field.
Username and password – enter the Username and Password in their respective fields.
Secret file – click Choose File and select a secret file to upload to Jenkins.
SSH Username with private key – enter Username, Private Key, and optional Passphrase into their corresponding fields.
Certificate – specify the Certificate and optional Password. You may choose to Upload PKCS#12 certificate by selecting the corresponding option.
Then, specify an arbitrary ID value in the ID field, such as jenkins-user-for-automatenow-repository
. The default Jenkins credentials provider allows uppercase and lowercase letters for the credential ID and any valid separator character. It’s best to use a consistent convention for specifying credential IDs to ensure a smooth experience for all users.
Note
This field is optional. Not specifying a value causes Jenkins to assign a globally unique ID (GUID) value for the credential ID.
Specify an optional Description for the credential. Lastly, click the Create button to save the credentials.
Role-based access control (RBAC) for credentials
Role-based Access Control (RBAC) is a security paradigm in which access permissions are assigned based on predefined roles, streamlining user management and ensuring that individuals have appropriate access to resources and actions within a system.
Benefits of implementing RBAC in Jenkins
RBAC in Jenkins for managing credentials has several benefits. It enhances security by defining specific roles and permissions. It promotes accountability and auditability by tying access to particular roles. It streamlines access management, reduces errors, and enhances workflow control. It ensures compliance with security policies and regulatory requirements, contributing to a robust and well-governed credential management system.
How to implement RBAC in Jenkins
Install and configure RBAC Plugins
Log in to the Jenkins web interface using administrative credentials. Go to Manage Jenkins and click on Plugins.
In the Installed plugins tab, search for the Role-based Authorization Strategy plugin. You can install it under the Available plugins tab if it’s not already installed.
After installing the plugin, go to Manage Jenkins > Security.
Choose Role-Based Strategy under the Authorization menu and save your configuration by clicking on the Save button at the bottom of the page.
Manage Global roles
Navigate to Manage Jenkins > Manage and Assign Roles to create global roles and assign permissions.
Once in the Manage and Assign Roles section, you should find an interface to define and manage global roles. You can modify and assign specific permissions to the Admin from the default Administer role to others inside the Global roles table. The other permissions could include Credentials, Agent, Job, etc.
You can also create a new role by giving a name at the Role to add tab. And then click on the Add button.
Then, that new role will be added to the Global roles table. If you do not want to go with the default Admin role, then you can assign permission to this newly created role by enabling the respective permission checkboxes.
Save your changes after defining the global roles and assigning the necessary permissions. This often involves clicking a Save or Apply button at the bottom of the configuration page.
Regularly review and update roles
In the Manage Jenkins > Manage and Assign Roles section, modify existing roles or create new ones based on evolving requirements. Update roles by adding or removing permissions as necessary.
Utilize Jenkins audit logs to monitor RBAC-related activities. Access the logs through Manage Jenkins > System Log to review events related to user access, role assignments, and permissions changes.
Set up alerts or notifications for critical RBAC events. By following these steps, you can smoothly implement RBAC in Jenkins, gradually adapting to organizational needs, monitoring activities, and ensuring that users are well-informed about the changes in the access management system.
Integration with external credential stores
Incorporating external credential stores into Jenkins is a strategic move to bolster security and centralize the management of sensitive information. Let’s delve into more detailed steps for using external credential stores, focusing on HashiCorp Vault and AWS Secrets Manager.
HashiCorp Vault Integration
Open your Jenkins dashboard and navigate to Manage Jenkins > Plugins.
In the Available tab, search for HashiCorp in the filter box. Check the box next to HashiCorp Vault and Consul KV Builder. Then click the Install button at the top right corner of the page.
After installation, go to Manage Jenkins > System.
Scroll down to find the HashiCorp Consul Settings section. Enter the Vault server details, including the Host URL (e.g., http://vault-server:8200
), ACL Token, Connection Timeout, Response Timeout, and click the Save button to apply changes.
In Jenkins, navigate to Manage Jenkins > Credentials.
Under Stores scoped to Jenkins, click on the global link button.
Add a new credential, select Secret text as the kind, and enter the HashiCorp Vault token as the secret.
Finally, click on the Create button to apply the changes.
AWS Secrets Manager Integration
In the Jenkins dashboard, navigate to Manage Jenkins > Manage Plugins.
Search for AWS Secrets Manager in the Available tab in the search box. Check the box next to AWS Secrets Manager Credentials Provider and click the Install button.
Under Stores scoped to Jenkins, click on the global link button.
Add a new credential, selecting Vault AWS IAM Credential as the kind, and enter the AWS access and secret keys.
Finally, click on the Create button to apply the changes.
Benefits of integrating external providers in Jenkins
Integrating external credential providers into Jenkins introduces many benefits that significantly enhance the security, efficiency, and manageability of the CI/CD pipeline.
Let’s delve deeper into the advantages:
Enhanced Security
External providers like HashiCorp Vault or AWS Secrets Manager offer centralized secret management to store sensitive information like API keys or access credentials securely in one place. They use robust encryption algorithms and access control mechanisms to enhance the security posture. Many external providers also support automatic credential rotation to reduce the vulnerability window associated with static credentials.
Centralized Credential Lifecycle Management
Jenkins can dynamically retrieve credentials from external providers during runtime, which helps reduce exposure and minimize the risk of unauthorized access. This approach ensures that credentials are fetched only when they are needed. External providers also offer a user-friendly interface for updating credentials, simplifying the management process. This makes modifying or rotating credentials easier without manual intervention in Jenkins.
Simplified Configuration and Auditing
Integrating with external providers can simplify Jenkins configurations by managing credential details externally. This promotes a cleaner and more maintainable CI/CD setup. External providers also offer detailed auditing and logging capabilities. This allows Jenkins administrators to access comprehensive logs that track credential usage, changes, and access attempts. This auditing functionality is invaluable for compliance, troubleshooting, and security analysis.
Consistent Credential Management Across Pipelines
External credential providers allow reusing credentials across multiple Jenkins jobs and pipelines, ensuring consistency and reducing the likelihood of errors and inconsistencies in different parts of the CI/CD pipeline. These providers also provide access control policies, enabling authorized users or systems to retrieve specific credentials. By aligning these policies with organizational security requirements, access is restricted based on the principle of least privilege.
Scalability and Compatibility
External providers offer a variety of credential types beyond the conventional username and password combination. These include SSH keys, certificates, tokens, and other confidential information, providing flexibility for different authentication requirements. These external providers can quickly adapt to various environments, such as on-premises data centers, cloud infrastructure, or hybrid setups, ensuring consistent credential management practices across all infrastructure configurations.
Pipeline security best practices
Use credential IDs
Instead of directly embedding sensitive credentials in pipeline scripts, use Credential IDs. These IDs act as references to credentials stored securely in Jenkins. This practice enhances security by preventing the exposure of actual secrets in the pipeline code, reducing the risk of unauthorized access.
Pipeline security scanning
Regularly scan pipeline scripts for security vulnerabilities using tools like the Jenkins Security Plugin. This proactive approach helps identify and mitigate potential risks in the codebase. Organizations can ensure a robust and secure pipeline environment by analyzing scripts for adherence to security best practices.
Implement parallelism carefully
While parallel execution can enhance pipeline efficiency, it’s crucial to implement it carefully. Avoid scenarios where parallel branches may access shared resources simultaneously, as this could lead to security risks or data integrity issues. A thoughtful approach to parallelism ensures the security and reliability of the pipeline.
Secure agent communication
Ensure secure communication between Jenkins master and agents using encryption mechanisms such as SSH or JNLP. These protocols protect data in transit, reducing the risk of interception or tampering. By implementing secure communication channels, organizations enhance the overall security of their pipeline infrastructure.
Update pipeline dependencies
Regularly update and patch pipeline dependencies, including plugins and external tools. This practice helps mitigate potential security vulnerabilities and ensures compatibility with the latest security features. Keeping dependencies up-to-date is fundamental to maintaining a secure and resilient pipeline environment.
Role-based access control (RBAC)
Implement RBAC in Jenkins to control user access to pipeline configurations. Define roles and permissions based on job responsibilities, limiting access to sensitive pipeline settings. By adhering to the principle of least privilege, organizations can minimize the risk of unauthorized changes and enhance overall pipeline security.
Final thoughts on mastering Jenkins credentials and secrets
Managing Jenkins credentials and secrets is essential for a secure configuration management system. Integration of access controls can optimize the workflow and fortify the system against threats. Adopting best practices such as role-based access control, external credential providers, and vigilant monitoring can significantly improve the security of Jenkins environments. It is a foundational step towards promoting a security-centric software development and deployment culture. Happy testing!
Related articles
- How to create a Jenkins pipeline
- Managing Jenkins jobs
- Jenkins monitoring
- How to use Jenkins shared libraries
- Jenkins architecture
- Jenkins in test automation
Follow our blog
Be the first to know when we publish new content.
How to set up credentials in Jenkins
- Top 10 API Testing Tools - April 6, 2024
- The ABCs of UAT Testing: Understanding User Acceptance Testing - March 21, 2024
- Agile Testing: Key Principles and Practices - March 15, 2024