Credential management

Security

Credentials are used to access services and resources used during application deployments, release pipeline execution, or any other automated process orchestrated by CloudBees CD/RO. Credentials are supported in the following contexts.

  • Stored credentials used by a process step, plugin tasks or procedure step

  • Stored credentials used for impersonation

  • Credential parameters

  • Username and password or secret supplied at runtime

Two credential types are available, stored or runtime :

  • Stored credentials: Each project has a list of stored credentials it owns. These credentials are managed from the Credential Management page.

    • Internally-managed credentials: These credentials are stored in encrypted form in the CloudBees CD/RO database.

    • Externally-managed credentials: These credentials are stored and managed via an external credential provider. Supported external providers include CyberArk and HashiCorp Vault.

  • Runtime credentials: These credentials are dynamically captured when a job run-time object is created. Dynamic credentials are stored on the server temporarily until the job completes and then discarded.

Stored credential encryption

Internally managed credential data, including passwords, uses 256-bit AES (Advanced Encryption Standard).

Creating a credential provider definition

If you are using an external credential provider to manage credentials, follow the steps in this section to create its provider definition within CloudBees CD/RO.

If creating a internally-managed credential, proceed directly to defining a credential.

Creating a credential provider definition is a one-time process per provider instance at your site. It encapsulates

Prerequesites

  • A supported external credential provider, installed and configured at your site.

  • Particulars about your external credential provider instance required to define the provider definition within CloudBees CD/RO.

  • One or more credentials configured with your credential provider.

  • The CloudBees CD/RO project you wish the credential provider definition, and credentials it manages, lives. This can be two different projects.

    As a best practice, organize them based on use across your environment. For example, you may have one project for staging providers and another project for production providers. Or, it may be appropriate to base project organization on user groups.

Define the provider

  1. Navigate to DevOps Essentials Credential Management and select Credential providers from the left-hand menu.

  2. Select New in upper right corner. The New Credential Provider dialog displays.

  3. On the Details tab provide:

    • Name: User-defined name of this provider definition. You use this name within CloudBees CD/RO at credential definition time.

    • Project: The CloudBees CD/RO project under which this definition exists.

    • Description: (optional) Comment text describing this definition. This is not used internally by CloudBees CD/RO.

    • Server URL: URL for connecting to the provider.

    • Test connection: Check this if you wish to test the provider connection before saving.

  4. On the Definition tab provide details about this definition.

    • Provider type: Select the provider type from the drop-down.

      At this point the list of details differs based on the provider type. The images below show details required for CyberArk providers.

  • CyberArk Central Credential Provider

  • CyberArk Dynamic Access Provider

When finished entering all the information, select OK. This provider definition is now available when creating an external credential.

Defining a credential

After a credential is created, no one can view the password for the credential’s account. This means one person can define a credential and enter the password, and other people can use the credential (and its account) without needing to know the password.

  1. Navigate to DevOps Essentials Credential Management and select Credential from the left-hand menu.

  2. Select New in the upper right corner. The New Credential dialog displays.

  3. Enter the following:

    • Name: User-defined name of this provider definition. You use this name within CloudBees CD/RO at credential definition time.

    • Project: The CloudBees CD/RO project under which this definition is created.

    • Description: (optional) Comment text describing this definition. This is not used internally by CloudBees CD/RO.

    • User name: The name under which you wish to login in for this credential definition.

  4. Select Credential provider type and enter:

    • For internally-managed credentials, enter the password for this credential.

    • For externally-managed credentials, enter the following:

      For external credentials, you are registering a credential you have previously defined with your credential provider.
      • Credential provider project: The project under which the provider definition resides.

      • Credential provider: The name of the previously created provider definition.

      • Secret path: The path to the folder where the password is stored.

Alternate process

Credential and credential provider management is also available from the automation platform UI and the CloudBees CD/RO project list.

  • Automation platform:

    1. Click the Projects tab.

    2. Select a project (first column) to see the Project Details page.

    3. Select the Credential Provider tab, and then click Create Credential Provider

    4. Select the Credential tab, and then click Create Credential

      • Provide details as described in Defining a credential.

        Click the Help link on the New Credential page if you need more information about what to enter in the fields.

  • Projects list (support for creating credentials, only):

    1. Navigate to DevOps Essentials Projects list.

    2. From the Projects list, click the Actions selector for the desired project and select Details. The Project edit dialog appears.

    3. Click the Manage Credentials right arrow button. The Credentials dialog appears.

    4. Click Add and the Credential dialog appears. Enter data into the fields as described in Defining a credential.

    5. Click OK to save the credential.