Issue
After upgrading CloudBees CI to version 2.528.x, the Credentials action is no longer visible in the job-level sidebar on managed controllers and client controllers. Attempting to access credentials at the job item level results in the following error:
Access Denied <username> is missing the Credentials/View
Credentials remain accessible at the Project or Global scope but are not visible when navigating to an individual job item.
Environment
-
CloudBees CI on modern cloud platforms - managed controller version 2.528.x
-
CloudBees CI on traditional platforms - client controller version 2.528.x
-
Credentials Plugin versions prior to 1453.v9b_a_29777a_b_fd
Cause
The Credentials Plugin distinguishes between consuming credentials and managing them. Under the standard security model, credentials are managed at the System or Folder level; individual jobs utilize credentials but do not have a management context of their own. As a result, the Credentials action is not exposed in the job-level sidebar by default.
This UI inconsistency was introduced in a plugin update bundled with the CloudBees CI 2.528.x upgrade and has been addressed in Credentials Plugin version 1453.v9b_a_29777a_b_fd.
Resolution
The Credentials Plugin version is managed by the CloudBees Assurance Program (CAP), so a direct plugin update through the Plugin Manager is not available. Choose one of the following options:
Option 1 – Upgrade CloudBees CI:
Upgrade to a CloudBees CI release 2.541.1.35570 or newer that bundle Credentials Plugin version newer than 1453.v9b_a_29777a_b_fd.
Option 2 – Use a Beekeeper Plugin Exception:
Beekeeper plugin exceptions allow you to override the CAP-managed version of a plugin by defining the exception in a plugin catalog file. Refer to Add Beekeeper plugin exceptions for prerequisites and important considerations before proceeding.
-
Create or update a plugin catalog file (for example,
plugin-catalog.json) to include abeekeeperExceptionsentry for the Credentials Plugin:{ "type": "plugin-catalog", "version": "1", "name": "credentials-exception", "displayName": "Credentials Exception", "configurations": [ { "description": "Credentials plugin Beekeeper exception", "beekeeperExceptions": { "credentials": { "version": "1453.v9b_a_29777a_b_fd" } } } ] } -
Install the plugin catalog on the operations center. Refer to Add a plugin catalog.
-
From the operations center, select the arrow next to the target controller and select Configure.
-
Under Plugin Catalog, select Allow exceptions.
-
Select Specify a plugin catalog for this controller.
-
In Catalog, select the plugin catalog created in step 1.
-
Select Check Validity and confirm that "The catalog is compatible with the controller" is returned.
-
Select Save.
| Beekeeper plugin exceptions bypass CAP verification. Plugins may not work together as expected, and you do not receive full CloudBees support for unverified configurations. Return to the CAP-approved version as soon as you can upgrade CloudBees CI. |
References
| If the Conjur Secrets Plugin is installed on the controller, the Credentials action continues to appear in the job-level sidebar as a side effect of that plugin’s sidebar contribution, regardless of the Credentials Plugin version installed. This is specific to the Conjur Secrets Plugin and does not represent a fix for the underlying issue. |