I recently worked on a Project that required migrating Jenkins credentials to another credentials store, going to each credential and viewing and subsequently decrypting the credential turned into a real chore and I needed a way to do this all in one go.

Luckily we can access credentialsStore using Jenkins script console, so:

  1. In Jenkins, go to: /script page.
  2. Run the following command:

import jenkins.model.*
import com.cloudbees.plugins.credentials.*
import com.cloudbees.plugins.credentials.impl.*
import com.cloudbees.plugins.credentials.domains.*
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import org.jenkinsci.plugins.plaincredentials.StringCredentials
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl

def showRow = { credentialType, secretId, username = null, password = null, description = null ->
println("${credentialType} : ".padLeft(20) + secretId?.padRight(38)+" | " +username?.padRight(20)+" | " +password?.padRight(40) + " | " +description)
}

// set Credentials domain name (null means is it global)
domainName = null

credentialsStore = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0]?.getStore()
domain = new Domain(domainName, null, Collections.<DomainSpecification>emptyList())

credentialsStore?.getCredentials(domain).each{
if(it instanceof UsernamePasswordCredentialsImpl)
showRow("user/password", it.id, it.username, it.password?.getPlainText(), it.description)
else if(it instanceof BasicSSHUserPrivateKey)
showRow("ssh priv key", it.id, it.passphrase?.getPlainText(), it.privateKeySource?.getPrivateKey()?.getPlainText(), it.description)
else if(it instanceof StringCredentials)
showRow("secret text", it.id, it.secret?.getPlainText(), '', it.description)
else if(it instanceof FileCredentialsImpl)
showRow("secret file", it.id, it.content?.text, '', it.description)
else
showRow("something else", it.id, '', '', '')
}

return

 

Lo and behold, the contents of your credentialsStore laid bare before your eyes, a security nightmare but that is a talk for another day.

Dennis Otugo
Dennis Otugo

Dennis Otugo is a Consultant at Bantrain, and loves all things DevOps. In his role, he enables enterprise customers in their digital transformation journey and helps architect cloud-native solutions

Speak with an expert on our team to discuss Cloud solutions tailored to your business.

You’ll receive free recommendations tailored to your business.