New value for a Cyberark PAM username is not fetched from my pipeline

Last Reviewed:2025-07-25()
2 minute readKnowledge base

Issue

I am using CyberArk PAM to fetch secrets from a safe and use them in a pipeline. When changing the username and password in the safe, the new password is reflected in Jenkins pipeline but the old username is fetched.

Context

The cloudbees-cyberark-credentials plugin caches the username. Moreover, the cache retention period for the username can be customized, but it cannot be less than 1 minute.

In the Advanced section of the credentials provider configuration for CyberArk, we see:

cyberark-config

  1. To adjust the retention for "other details" cache (it cannot be less that 1 minute).

  2. To indicate if the password should also be cached.

In CloudBees CI versions before 2.516.1.28662 there was a bug that would make this Cyberark credentials cache expiration for the username not effective.

Environment

Resolution

  • For CloudBees CI versions earlier than 2.516.1.28662, the solution is to upgrade to 2.516.1.28662 or later to get the fix.

  • For CloudBees CI versions 2.516.1.28662 and later, review your cache expiration configuration and set it to 1 minute.

Workaround

In case you need to refresh immediately one or more CyberArk PAM cache entries you can use the following scripts:

  • to invalidate a single cache entry:

// Configuration
def vault = 'Jenkins';
def folder = 'Root';
def objectId = 'my_user';

// Invalidate a single entry
import com.cloudbees.jenkins.plugins.cyberark.credentials.CyberArkGlobalConfiguration;
def cyberArk = CyberArkGlobalConfiguration.getInstance();
if(cyberArk == null) {
  println 'No CyberArk configuration found'
  return
}

println 'Invalidate cache entry'
cyberArk.clearCached(cyberArk.appId, vault, folder, objectId);

  • to invalidate all cache entries:

import com.cloudbees.jenkins.plugins.cyberark.credentials.CyberArkGlobalConfiguration;
def cyberArk = CyberArkGlobalConfiguration.getInstance();
if(cyberArk == null) {
  println 'No CyberArk configuration found'
  return
}

// Invalidate all entries
println 'Invalidate all entries'
cyberArk.cache.invalidateAll();

Tested product/plugin versions

CloudBees CI on modern cloud platforms - managed controller version 2.492.2.2 cloudbees-cyberark-credentials version 308

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.