在我的Jenkins管道中,我将withCredentials插件作为一个函数,这样我就可以传递变量来检索不同的秘密,并使我的阶段管道干净。下面是我的代码。
def getCredentialsString(dsl, credentialsId) {
def r;
dsl.withCredentials([string(credentialsId: credentialsId, variable: 'CredentialsString')]) {
r = "${env.CredentialsString}"
}
return r
}
阶段管道,my-jenkins-token和my-jenkins-api-token是jenkins中存储我的API令牌的秘密。我隐藏了必要的命令,如下所示:
def project_token = credentials.getCredentialsString(this, "my-jenkins-token")
def api_token = credentials.getCredentialsString(this, "my-jenkins-api-token")
sh "mvn -Dsettings.security=${mavenSecuritySetting} -DprojectToken=${project_token} -DapiToken=${api_token} -Dcommit=${COMMIT_ID} -s ${mavenSetting}"
问题是,如果我选择分离withCredentials,令牌将作为纯文本打印出来,我想知道一种方法来掩盖变量。我可以将变量设置为ENV变量,只要它可以帮助屏蔽控制台的输出。
访问withCredentils块之外的秘密值违背了安全存储秘密的目的。如果您有动态范围的凭据,我建议使用下面的方法。
node('master'){
Map creds= [slack_token: 'Slack', aws_token: 'AWS'] // key is the local variable and value is the credentialsId from jenkins store
runWithCredentials(creds){
echo "${slack_token} and ${aws_token}"
}
}
def runWithCredentials(Map credentials, def body){
List credBlock = []
credentials.each {credValue, credId ->
credBlock.add(string(credentialsId: credId, variable: credValue))
}
withCredentials(credBlock){
body()
}
}