Jenkins: Hide Passwords – MaskPasswordsBuildWrapper

For some reason you may not want to store credentials in Jenkins using the Credentials Plugin.

Nevertheless, you still may need to hide sensitive data, like passwords or secret keys from the console output in Jenkins.

One of the possible solution is to wrap the parts of the code you want to hide with set +x (stop showing the output) and set -x (resume showing the output).

But the more elegant and efficient solution is to use the Mask Passwords Plugin, that allows masking passwords that may appear in the console.

In this note i will show an example of how to hide passwords in Jenkins console output using the MaskPasswordsBuildWrapper from the Jenkins declarative pipeline.

Cool Tip: Decrypt secrets masked by Jenkins credentials plugin! Read more →

Hide Passwords in Jenkins

First of all it is required to install the Mask Passwords Plugin.

Without this plugin being installed you may get an error as follows:

java.lang.UnsupportedOperationException: no known implementation of class jenkins.tasks.SimpleBuildWrapper is named MaskPasswordsBuildWrapper

An example of the Jenkinsfile with the secrets to hide:

// Define secret variables
def MY_PASSWORD = "YWVyY3dxZWY"
def MY_SECRET = "ZGZoeWt5OGt"

// Mask secret variables and try to print
pipeline {
  agent any
  stages {
    stage ("Print variable") {
      steps {
        wrap([$class: "MaskPasswordsBuildWrapper",
              varPasswordPairs: [[password: MY_PASSWORD],
                                 [password: MY_SECRET]]]) {
          echo "Password: ${MY_PASSWORD}"
          echo "Secret: ${MY_SECRET}"
        }
      }
    }
  }
}

If you try to print the variables masked with MaskPasswordsBuildWrapper, you will see that their values have been substituted with the asterisks:

[Pipeline] echo
Password: ********
[Pipeline] echo
Secret: ********

Cool Tip: Prompt user to enter credentials in Jenkins pipeline! Read more →

3 Replies to “Jenkins: Hide Passwords – MaskPasswordsBuildWrapper”

  1. But the password is in the script which would be in your version control. It’s just exposed a different way.

    1. This is just an example. In the real project a password can be dynamically retrieved from external sources, like Vault by HashiCorp or CyberArk and assigned to ${MY_PASSWORD} variable.

  2. Nice post!
    FYI this approach will not work with blueocean UI, to solve it have a look at this issue : https://issues.jenkins.io/browse/JENKINS-59214?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

Leave a Reply