Important: This plug-in is maintained by the Jenkins community and won’t be supported by Microsoft as of February 29, 2024.
Jenkins plugin to manage Azure credentials.
It supports the following Azure credential types:
- Azure Service Principal,
with the following authentication mechanism:
- Client secret
- Certificate (Add the certificate to Jenkins credentials store and reference it in the Azure Service Principal configuration)
- Azure Managed Identity (MSI)
- Basic support for credentials In Azure Key Vault, for full support please use the Azure Key Vault plugin.
In freestyle jobs, click Use secret text(s) or file(s)
in the Build Environment
in the configuration page and
add a Azure Service Principal
item, which allows you to add credential bindings
where the Variable value will be used as the name of the environment variable
that your build can use to access the value of the credential.
With the default variable names you can reference the service principal as the following:
echo "My client id is $AZURE_CLIENT_ID"
echo "My client secret is $AZURE_CLIENT_SECRET"
echo "My tenant id is $AZURE_TENANT_ID"
echo "My subscription id is $AZURE_SUBSCRIPTION_ID"
In scripted pipelines, there are two ways to construct this binding:
- With defaults, which will read specified service principal into four predefined environment variables:
AZURE_SUBSCRIPTION_ID
,AZURE_CLIENT_ID
,AZURE_CLIENT_SECRET
,AZURE_TENANT_ID
.
Sample pipeline code:
withCredentials([azureServicePrincipal('credentials_id')]) {
sh 'az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID'
}
- With custom name, where you can control the names of the variables. Sample pipeline code:
withCredentials([azureServicePrincipal(credentialsId: 'credentials_id',
subscriptionIdVariable: 'SUBS_ID',
clientIdVariable: 'CLIENT_ID',
clientSecretVariable: 'CLIENT_SECRET',
tenantIdVariable: 'TENANT_ID')]) {
sh 'az login --service-principal -u $CLIENT_ID -p $CLIENT_SECRET -t $TENANT_ID'
}
In declarative pipeline it will add extra environment variables based off of the variable name you requested.
If you did MY_CRED = credentials('credentials_id')
You will get:
MY_CRED_CLIENT_ID
MY_CRED_CLIENT_SECRET
MY_CRED_TENANT_ID
MY_CRED_SUBSCRIPTION_ID
pipeline {
environment {
MY_CRED = credentials('credentials_id')
}
stages {
stage('build') {
steps {
sh 'az login --service-principal -u $MY_CRED_CLIENT_ID -p $MY_CRED_CLIENT_SECRET -t $MY_CRED_TENANT_ID'
}
}
}
}
- Update your project POM file to reference
azure-credentials
plugin and necessary dependencies:
<dependencies>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>azure-credentials</artifactId>
<version>${azure-credentials.version}</version>
</dependency>
</dependencies>
- Add the credential selector in the
config.jelly
andDescriptor
<f:entry title="${%Azure Credential}" field="credentialsId">
<c:select expressionAllowed="false"/>
</f:entry>
public ListBoxModel doFillAzureCredentialsIdItems(@AncestorInPath Item owner) {
StandardListBoxModel result = new StandardListBoxModel();
result.add("--- Select Azure Credentials ---", "");
if (owner == null) {
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return result;
}
} else {
if (!owner.hasPermission(Item.EXTENDED_READ)
&& !owner.hasPermission(CredentialsProvider.USE_ITEM)) {
return result;
}
}
return result
.includeEmptyValue()
.includeMatchingAs(
ACL.SYSTEM,
owner,
AzureBaseCredentials.class,
Collections.emptyList(),
CredentialsMatchers.instanceOf(
AzureBaseCredentials.class));
}
- Build the Azure client from the credential
public AzureResourceManager getResourceManager(String credentialId) {
// Pass an Item instead of null if you're in a job/run context
AzureBaseCredentials credential = AzureCredentialUtil.getCredential(null, credentialId);
AzureProfile profile = new AzureProfile(azureCredentials.getAzureEnvironment());
TokenCredential tokenCredential = AzureCredentials.getTokenCredential(azureCredentials);
return AzureResourceManager
.configure()
.withHttpClient(HttpClientRetriever.get())
.authenticate(tokenCredential, profile)
.withSubscription(subscriptionId);
}
CredentialsProvider
.lookupCredentials(
AzureBaseCredentials.class,
null,
ACL.SYSTEM,
Collections.emptyList()
);