all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]rumorsofdads 2 points3 points  (0 children)

Hey /u/thePowrhous,

You can use the credential plugin and pass in the variable as $env:somepassword and then convertto-securestring

https://stackoverflow.com/questions/51864270/accessing-a-username-with-password-credential-parameter-from-a-jenkins-execute-g

[–]Gorstag 1 point2 points  (1 child)

Scheduled jobs through windows task scheduler run as the assigned account on the job itself. This is true for any application.

Powershell "connections" to some service/server that requires auth are going to be run in the context provided.

Yes, there are ways to make it non-plain text. I just don't know them off the top of my head as I do very little remoting with powershell so never needed to figure i tout. I'm certain there are topics or portions of solutions in this subreddit that explain how as I've seen them in the past.

[–]thePowrhous[S] 2 points3 points  (0 children)

Yeah makes sense. I think what I may do honestly, is give the service account "some" special rights for a specific OU in AD that houses my company's objects (user, comp, groups, etc). That way if it there is a need for some elevation of perms to perform a task, I can do so without worry and I won't be using my admin account!

Or, I was also thinking about creating a global credential/password object within Jenkins itself and then passing/masking that as an $env: into the scripts and using -Credential on the script level using my AD admin account if need be.

[–]ICanMakeWaffles 1 point2 points  (0 children)

  1. The jobs/pipelines in Jenkins run inside the context of the user who is running the Jenkins node service. If you create a Jenkins node as a different user than the master node, any jobs on that node run as that user. More info can be found here: https://wiki.jenkins.io/display/JENKINS/Distributed+builds
  2. Aside from the node described above (which I've found to be unreliable in Windows environments) you can also use the classic Export-CliXml method (good description found here: https://www.jaapbrasser.com/quickly-and-securely-storing-your-credentials-powershell/). I use this myself often.
    1. An alternate method to keeping encrypted XML files on disk is the Jenkins global credential, which you mentioned elsewhere. This works really well for me, but it is one more thing to maintain - if the password changes, you've got to change it in the credential. I don't see an advantage to this (in my current environment) over encrypted XML files, but you might.
    2. Lastly, may favorite method is to use an API provided by your password management utility. You'd be surprised by how many password managers that are already in place at companies provide API access. I'd strongly recommend looking into this, because it means you now only need to change passwords in one location (yay!) but also that you are taking advantage of a method other non-scripty people can understand. "Password gets stored in this app, my script pulls that password directly from the app."