Credentials and user impersonation

2 minute readSecurity

By default, run-time objects such as job steps and pipeline tasks run under the account used by the CloudBees CD/RO agent at install time. This approach works well in environments where it makes sense to run all jobs under a single user such as a build user. In this scenario, you install all agents to run as the designated user and every step of every job runs as that user.


Credentials are used to access services and resources used during application deployments, release pipeline execution, or any other automated process orchestrated by CloudBees CD/RO.

When a run-time object is configured to run as a specific user other than that defined at install time, CloudBees CD/RO retrieves the user name and password from a stored credential. The credential is passed to the CloudBees CD/RO agent over an encrypted channel so the agent can authenticate itself to the operating system and set up a security context where the object runs with the user permissions in the credential.


At runtime, an object may need to temporarily impersonate a different user. For example, as part of your pipeline you may need to run a task that generates a certificate using privileged corporate information; that task must run under a special high-privileged account, but you want the remainder of the steps in the build to use a less-privileged account.

CloudBees CD/RO allows you to select a credential on a per-task, per-job, or per-job-step basis that the CloudBees CD/RO agent uses to impersonate a particular user for the duration of run-time object.

For further information see Impersonation.