Unable to see Jenkins Credentials values

Question

I'm trying to leverage the Jenkins credentials plugin to store sensitive data which I want to inject into Secrets within my Kubernetes cluster. I have a JenkinsFile which is used in my project to define the steps and I've added the following code to pull a username/password from a credential and pass to shell script to replace a placeholder in a file with the actual file:

stages {
    stage('Build') {
        steps {
           withCredentials([usernamePassword(credentialsId: 'creds-test', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME')]) {
               sh '''
                  echo $USERNAME
                  echo $PASSWORD

                  chmod +x secrets-replace.sh
                  ./secrets-replace.sh USERNAME_PLACEHOLDER $USERNAME
                  ./secrets-replace.sh PASSWORD_PLACEHOLDER $PASSWORD
                '''
              }
              echo 'Building...'
              sh './gradlew build --refresh-dependencies'
        }
    }
    ...
}

However whenever this runs all I ever get is the masked **** value back, even when I pass it to the shell script. Here is part of the build log:

Is there something I need to configure to get access to the unmasked value?

Answer 1

Write the variable to a file in jenkins. Go to the jenkins workspace and look inside the file. The token will be present in plain text there.

UPDATE

Further easy way will be to print the base64 encoded value of the credential and then decode it.

Answer 2

Like the others added above, you could actually write it to a file and then cat the file outside of the withCredentials. You should be fine with this. As below..

withCredentials([usernamePassword(credentialsId: 'creds-test', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME')]) {
           sh '''
              echo $USERNAME > tmp
              echo $PASSWORD >> tmp
            '''
          }
          sh 'cat tmp'

This prints the actual credential values

Answer 3

Consider manipulating the string

echo env.PASSWORD.toCharArray().join(' ');

like

stages {
    stage('Build') {
        steps {
           withCredentials([usernamePassword(credentialsId: 'creds-test', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME')]) {
               script {
                  echo env.USERNAME.toCharArray().join(' ');
                  echo env.PASSWORD.toCharArray().join(' ');
               }
               sh '''
                  chmod +x secrets-replace.sh
                  ./secrets-replace.sh USERNAME_PLACEHOLDER $USERNAME
                  ./secrets-replace.sh PASSWORD_PLACEHOLDER $PASSWORD
                '''
              }
              echo 'Building...'
              sh './gradlew build --refresh-dependencies'
        }
    }
    ...
}

Answer 4

Echoing straight from file didnt work for me so I tricked Jenkins like this to see the secret during debugging: Obviously, remove it right after debugging!

        stage('Build') {

            azureKeyVault(
            credentialID: 'my-sp', 
            keyVaultURL: 'https://my-kv.vault.azure.net', 
            secrets: [
                [envVariable: 'MY_SECRET', name: 'my-secret-name-in-azure-kv', secretType: 'Secret']
            ]
          ) {
                sh '''
                    echo -n $MY_SECRET | base64 > tmpp
                    cat tmpp
                '''
            }
        }