Skip to content

Instantly share code, notes, and snippets.

@thomaschaplin

thomaschaplin/how-to-view-all-jenkins-secrets.md

Created May 23, 2023 12:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thomaschaplin/4e84c06693183474f626999883f628c9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thomaschaplin/4e84c06693183474f626999883f628c9 to your computer and use it in GitHub Desktop.
Download ZIP
How to view all Jenkins Secrets/Credentials
Raw
how-to-view-all-jenkins-secrets.md

How to view all Jenkins Secrets/Credentials

I recently worked on a Project that required migrating Jenkins credentials to another credentials store, going to each credential and viewing and subsequently decrypting the credential turned into a real chore and I needed a way to do this all in one go.

Luckily we can access credentialsStore using Jenkins script console, so:

In Jenkins, go to: /script page. Run the following command:

import jenkins.model.*
import com.cloudbees.plugins.credentials.*
import com.cloudbees.plugins.credentials.impl.*
import com.cloudbees.plugins.credentials.domains.*
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import org.jenkinsci.plugins.plaincredentials.StringCredentials
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl

def showRow = {
  credentialType,
  secretId,
  username = null,
  password = null,
  description = null ->
  println("${credentialType} : ".padLeft(20) + secretId?.padRight(38) + " | " + username?.padRight(20) + " | " + password?.padRight(40) + " | " + description)
}

// set Credentials domain name (null means is it global)
domainName = null

credentialsStore = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0]?.getStore()
domain = new Domain(domainName, null, Collections. < DomainSpecification > emptyList())

credentialsStore?.getCredentials(domain).each {
  if (it instanceof UsernamePasswordCredentialsImpl)
    showRow("user/password", it.id, it.username, it.password?.getPlainText(), it.description)
  else if (it instanceof BasicSSHUserPrivateKey)
    showRow("ssh priv key", it.id, it.passphrase?.getPlainText(), it.privateKeySource?.getPrivateKey()?.getPlainText(), it.description)
  else if (it instanceof StringCredentials)
    showRow("secret text", it.id, it.secret?.getPlainText(), '', it.description)
  else if (it instanceof FileCredentialsImpl)
    showRow("secret file", it.id, it.content?.text, '', it.description)
  else
    showRow("something else", it.id, '', '', '')
}

return

Lo and behold, the contents of your credentialsStore laid bare before your eyes, a security nightmare but that is a talk for another day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment