Issue
I am using CyberArk PAM to fetch secrets from a safe and use them in a pipeline. When changing the username and password in the safe, the new password is reflected in Jenkins pipeline but the old username is fetched.
Context
The cloudbees-cyberark-credentials plugin caches the username. Moreover, the cache retention period for the username can be customized, but it cannot be less than 1 minute.
In the Advanced section of the credentials provider configuration for CyberArk, we see:
-
To adjust the retention for "other details" cache (it cannot be less that 1 minute).
-
To indicate if the password should also be cached.
In CloudBees CI versions before 2.516.1.28662 there was a bug that would make this Cyberark credentials cache expiration for the username not effective.
Resolution
-
For CloudBees CI versions earlier than 2.516.1.28662, the solution is to upgrade to 2.516.1.28662 or later to get the fix.
-
For CloudBees CI versions 2.516.1.28662 and later, review your cache expiration configuration and set it to 1 minute.
Workaround
In case you need to refresh immediately one or more CyberArk PAM cache entries you can use the following scripts:
-
to invalidate a single cache entry:
// Configuration def vault = 'Jenkins'; def folder = 'Root'; def objectId = 'my_user'; // Invalidate a single entry import com.cloudbees.jenkins.plugins.cyberark.credentials.CyberArkGlobalConfiguration; def cyberArk = CyberArkGlobalConfiguration.getInstance(); if(cyberArk == null) { println 'No CyberArk configuration found' return } println 'Invalidate cache entry' cyberArk.clearCached(cyberArk.appId, vault, folder, objectId);
-
to invalidate all cache entries:
import com.cloudbees.jenkins.plugins.cyberark.credentials.CyberArkGlobalConfiguration; def cyberArk = CyberArkGlobalConfiguration.getInstance(); if(cyberArk == null) { println 'No CyberArk configuration found' return } // Invalidate all entries println 'Invalidate all entries' cyberArk.cache.invalidateAll();