The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

HashiCorp Vault Plugin

View this plugin on the Plugins site

withVault: Vault Plugin

  • vaultSecrets
      Array / List of Nested Object
    • path : String
      The path of the secret in the vault server as described here.
    • secretValues
        Array / List of Nested Object
      • vaultKey : String
        The vault key whose value will populate the environment variable.
      • envVar : String (optional)
        The environment variable to set with the value of the vault key.
        If field is left empty. The value from vault key will be used for environment variable.
      • isRequired : boolean (optional)
        A toggle to determine if the given Vault secret value must be present in your secret
        If checked, the value is required; the plugin will throw an error if the value is not found in the secret.
    • engineVersion : int (optional)
      The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
      If set to default it will use what is configured on folder or global configuration.
  • configuration (optional)
      Nested Object
    • engineVersion : int (optional)
      The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
      If set to default it will use what is configured on folder or global configuration.
    • failIfNotFound : boolean (optional)
    • prefixPath : String (optional)
    • skipSslVerification : boolean (optional)
    • timeout : int (optional)
    • vaultCredential (optional)
        Nested Choice of Objects
      • $class: 'VaultAppRoleCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • roleId : String
        • secretId
          • Type: class hudson.util.Secret
        • path : String
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultAwsIamCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • mountPath : String (optional)
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

        • role : String (optional)
          The IAM role to authenticate with. If this is left blank, Vault will use the role in the sts:GetCallerIdentity response.
        • serverId : String (optional)
          The value to supply in the X-Vault-AWS-IAM-Server-ID header of the sts:GetCallerIdentity request. This must match the value configured in the Vault AWS IAM auth method if the header is required.
      • $class: 'VaultGCPCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • role : String
        • audience : String
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultGithubTokenCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • accessToken
          • Type: class hudson.util.Secret
        • mountPath : String (optional)
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultKubernetesCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • role : String
        • mountPath : String (optional)
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultTokenCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • token
          • Type: class hudson.util.Secret
      • $class: 'VaultTokenFileCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • filepath : String
    • vaultCredentialId : String (optional)
    • vaultNamespace : String (optional)
    • vaultUrl : String (optional)

wrap([$class: 'VaultBuildWrapper']): Vault Plugin

  • vaultSecrets
      Array / List of Nested Object
    • path : String
      The path of the secret in the vault server as described here.
    • secretValues
        Array / List of Nested Object
      • vaultKey : String
        The vault key whose value will populate the environment variable.
      • envVar : String (optional)
        The environment variable to set with the value of the vault key.
        If field is left empty. The value from vault key will be used for environment variable.
      • isRequired : boolean (optional)
        A toggle to determine if the given Vault secret value must be present in your secret
        If checked, the value is required; the plugin will throw an error if the value is not found in the secret.
    • engineVersion : int (optional)
      The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
      If set to default it will use what is configured on folder or global configuration.
  • configuration (optional)
      Nested Object
    • engineVersion : int (optional)
      The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
      If set to default it will use what is configured on folder or global configuration.
    • failIfNotFound : boolean (optional)
    • prefixPath : String (optional)
    • skipSslVerification : boolean (optional)
    • timeout : int (optional)
    • vaultCredential (optional)
        Nested Choice of Objects
      • $class: 'VaultAppRoleCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • roleId : String
        • secretId
          • Type: class hudson.util.Secret
        • path : String
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultAwsIamCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • mountPath : String (optional)
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

        • role : String (optional)
          The IAM role to authenticate with. If this is left blank, Vault will use the role in the sts:GetCallerIdentity response.
        • serverId : String (optional)
          The value to supply in the X-Vault-AWS-IAM-Server-ID header of the sts:GetCallerIdentity request. This must match the value configured in the Vault AWS IAM auth method if the header is required.
      • $class: 'VaultGCPCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • role : String
        • audience : String
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultGithubTokenCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • accessToken
          • Type: class hudson.util.Secret
        • mountPath : String (optional)
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultKubernetesCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • role : String
        • mountPath : String (optional)
        • namespace : String (optional)
          The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.

          Note: Namespaces are a feature of Vault Enterprise.

      • $class: 'VaultTokenCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • token
          • Type: class hudson.util.Secret
      • $class: 'VaultTokenFileCredential'
        • scope
          Determines where this credential can be used.
          System
          This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
          Global
          This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.

          In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.

          • Values: SYSTEM, GLOBAL, USER
        • id : String
          An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
        • description : String
          An optional description to help tell similar credentials apart.
        • filepath : String
    • vaultCredentialId : String (optional)
    • vaultNamespace : String (optional)
    • vaultUrl : String (optional)

Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.