Child pages
  • AWS Bucket Credentials Plugin
Skip to end of metadata
Go to start of metadata

Plugin Information

View Amazon S3 Bucket Credentials on the plugin site for more information.

Allows the retrieval of kms encrypted credentials from an s3 bucket using Amazon Web Services

Allows you to store a secret in s3, either encrypted with KMS or a straight get from bucket (you should use SSE in this case)


Version 0.2.2


  • Kms Encryption is now optional, but the preferred choice. To not use kms encryption you need to check the checkbox to use a raw get from s3. Use this only if you know you have encrypted the secret in the bucket using SSE

Once installed navigate to the credentials section and add a new AWS-Bucket-Credentials. You'll see the screen below. There are also binding available for the credentials pipelines

You can use the bindings in the pipeline in the normal way, e.g

pipeline {
    stage("cmd") {
         withCredentials([usernamePassword(credentialsId: 'id-2', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
           // available as an env variable, but will be masked if you try to print it out any which way
           sh 'echo $PASSWORD'
           // also available as a Groovy variable—note double quotes for string interpolation
           echo "$USERNAME"
Know Issues:
  • does not currently work on jenkins slaves unless the slave has full access to master. This is because the bucket secret is obtained as late as possible.
    • If you want the slave to have access to the secret at runtime you must explicitly allow the slave unrestricted access to master. Only do this with due diligence as specified in the caveats surrounding slaves. You must fully trust the slave before relaxing the security measures.
  • There is an issue with the ui not showing properly if the you are getting your secret straight from s3 without using kms and you chose to view the credential with the update functionality. It does not show that you are avoiding kms, but shows as if you are using kms. Functionality is not effected, but if you click save ensure you re-check the option to avoid kms

Version 0.2.1

  • do not use

Version 0.2.0

  • KMS encryption is now optional. If you leave the kms secret name null, then you'll get the result from the s3 bucket. This is useful for server side encryption on the s3 bucket side

Version 0.1.1

  • Fixes NPE when jenkins used a credential set before a restart caused by serialization

Version 0.1 

  • Initial working upload


Simply define the username for these credentials. Then, to obtain the password

  1. Define the Region ("eu-west-1" style casing)

Define how to use S3

  1. the bucket name and 
  2. object id
  3. are you needing to use a proxy to connect to the s3 bucket

then the kms details 

  1. the kms secret name
  2. the (optional) extra details Name/Value pair - this is has to match what was used to encrypt the password originally
  3. are you needing to use a proxy to connect to kms

Finally there is a section on the proxy setup (only important if you need to use a proxy in either of the steps above)

  1. Proxy host
  2. Proxy port

The password will now be obtained when the "getPassword" as called.

These credentials can be used anywhere a username/password credentials are allowed in a plugin.

Credential binding is also provided using the class AwsBucketCredentialsBinding and the username can be linked to the "usernameVariable" and the password can be linked to the "passwordVariable"