Allows the retrieval of kms encrypted credentials from an s3 bucket using Amazon Web Services


Allows the retrieval of kms encrypted credentials from an s3 bucket using Amazon Web Services

Allows you to store a secret in s3, either encrypted with KMS or a straight get from bucket (you should use SSE in this case)


Create a Credential by going to Jenkins/credentials in the normal way and create Add your credential in the normal way. With this plugin installed, you should see the option in the Kind dropdown called "AWS Bucket Credential".

Now enter your information in the normal way. Note valid regions are given in the AWS Documentation (note casing and hyphens!)

Just given the bucket name you have stored your credential in. There is no need to prefix with s3:// etc. then the full object path to the credential must be provided. If you need to use a proxy to get to the s3 bucket (may be required in some enterprise environments), you check that. If not required, then leave as is. If your credential is KMS encrypted then it can be KMS decrypted by checking the box. If you provide a KMS encryption context, then support is provided for one key/value pair. Again you can use a proxy if required.

Finally just specify your proxy host and port if required. eg:

You can use the bindings in the pipeline in the normal way, e.g

pipeline {
    stage("cmd") {
         withCredentials([usernamePassword(credentialsId: 'id-2', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
           // available as an env variable, but will be masked if you try to print it out any which way
           sh 'echo $PASSWORD'
           // also available as a Groovy variable—note double quotes for string interpolation
           echo "$USERNAME"


Version 1.0.0

Version 0.2.3

If the kms context for encryption is empty then it'll not try to use it. Note I'm going to change the kms encryption section in version 1.0 - this will be a non-backwardly compatible release. This should fix the ui issue when viewing an the credential data.

Version 0.2.2

Once installed navigate to the credentials section and add a new AWS-Bucket-Credentials. You'll see the screen below. There are also binding available for the credentials pipelines

Know Issues:

Version 0.2.1

Version 0.2.0

Version 0.1.1

Version 0.1 


Simply define the username for these credentials. Then, to obtain the password

  1. Define the Region ("eu-west-1" style casing)

Define how to use S3

  1. the bucket name and 
  2. object id
  3. are you needing to use a proxy to connect to the s3 bucket

then the kms details 

  1. the kms secret name
  2. the (optional) extra details Name/Value pair - this is has to match what was used to encrypt the password originally
  3. are you needing to use a proxy to connect to kms

Finally there is a section on the proxy setup (only important if you need to use a proxy in either of the steps above)

  1. Proxy host
  2. Proxy port

The password will now be obtained when the "getPassword" as called.

These credentials can be used anywhere a username/password credentials are allowed in a plugin.

Credential binding is also provided using the class AwsBucketCredentialsBinding and the username can be linked to the "usernameVariable" and the password can be linked to the "passwordVariable"