Understanding credential management

2 minute read

CloudBees Unify provides CloudBees actions that configure authentication credentials for workflows to access external systems like AWS, Git repositories, and container registries. Understanding how these credential actions work helps you choose the right authentication approach for your workflows and avoid common configuration issues.

How credential actions work

Credential actions configure authentication settings that other workflow steps can use automatically. When you run a credential configuration action like configure-aws-credentials, it sets up credential files and environment variables that AWS SDKs and CLI tools detect and use for subsequent API calls in the same job.

For example, the AWS credentials action "implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions." After running this action, other workflow steps that make AWS API calls automatically authenticate using these configured credentials.

Git credentials work similarly by setting up global Git configuration. The configure-git-global-credentials action "authenticates the current user" and ensures "all steps using the Git CLI in the same job authenticate with these credentials."

Credential storage and access

Credentials are stored as secrets and variables in CloudBees Unify and referenced in workflows using the secrets and vars syntax. For example: ${{ secrets.AWS_ACCESS_KEY_ID }} or ${{ vars.OCI_REGISTRY }}.

Git credentials have additional flexibility - they can authenticate using pre-configured integrations set up in CloudBees Unify for repositories, or use SSH keys provided as secrets. The Git action can authenticate to "all accessible repositories" based on "the SCM Integration and credentials, permissions configured for those credentials which is setup on CloudBees Unify for this component and its parent Organization(s)."

Available credential types

CloudBees Unify provides credential configuration actions for:

AWS credentials: Configure AWS access keys, session tokens, regions, and role assumptions. Supports both long-term IAM user credentials and temporary session credentials, with OIDC authentication as the preferred approach when possible.

Git global credentials: Set up authentication for Git repositories using either pre-configured integrations or SSH keys. Can authenticate to specific repositories, entire organizations, or all accessible repositories on a Git host.

OCI credentials: Sign in to container registries like Docker Hub using username and password authentication. Credentials merge into the Docker configuration file, allowing access to multiple registries in the same job.