The following plugin provides functionality available through
Pipeline-compatible steps. Read more about how to integrate steps into your
Pipeline in the
Steps
section of the
Pipeline Syntax
page.
The path of the secret in the vault server as described here.
Type:String
secretValues
secretValues
Array / List of Nested Object
vaultKey
vaultKey
The vault key whose value will populate the environment variable.
Type:String
envVar
envVar (optional)
The environment variable to set with the value of the vault key.
If field is left empty. The value from vault key will be used for environment variable.
Type:String
isRequired
isRequired (optional)
A toggle to determine if the given Vault secret value must be present in your secret
If checked, the value is required; the plugin will throw an error if the value is not found in the secret.
Type:boolean
engineVersion
engineVersion (optional)
The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
If set to default it will use what is configured on folder or global configuration.
Type:int
configuration (optional)
Nested Object
engineVersion
engineVersion (optional)
The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
If set to default it will use what is configured on folder or global configuration.
Type:int
failIfNotFound
failIfNotFound (optional)
Type:boolean
prefixPath
prefixPath (optional)
Type:String
skipSslVerification
skipSslVerification (optional)
Type:boolean
timeout
timeout (optional)
Type:int
vaultCredential
vaultCredential (optional)
Nested Choice of Objects
$class: 'VaultAppRoleCredential'
$class: 'VaultAppRoleCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
roleId
Type:String
secretId
Type:class hudson.util.Secret
path
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultAwsIamCredential'
$class: 'VaultAwsIamCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
mountPath (optional)
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
role (optional)
The IAM role to authenticate with. If this is left blank, Vault will use the role in the sts:GetCallerIdentity response.
Type:String
serverId (optional)
The value to supply in the X-Vault-AWS-IAM-Server-ID header of the sts:GetCallerIdentity request. This must match the value configured in the Vault AWS IAM auth method if the header is required.
Type:String
$class: 'VaultGCPCredential'
$class: 'VaultGCPCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
role
Type:String
audience
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultGithubTokenCredential'
$class: 'VaultGithubTokenCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
accessToken
Type:class hudson.util.Secret
mountPath (optional)
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultKubernetesCredential'
$class: 'VaultKubernetesCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
role
Type:String
mountPath (optional)
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultTokenCredential'
$class: 'VaultTokenCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
token
Type:class hudson.util.Secret
$class: 'VaultTokenFileCredential'
$class: 'VaultTokenFileCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
filepath
Type:String
vaultCredentialId
vaultCredentialId (optional)
Type:String
vaultNamespace
vaultNamespace (optional)
Type:String
vaultUrl
vaultUrl (optional)
Type:String
wrap([$class: 'VaultBuildWrapper']): Vault Plugin
vaultSecrets
Array / List of Nested Object
path
path
The path of the secret in the vault server as described here.
Type:String
secretValues
secretValues
Array / List of Nested Object
vaultKey
vaultKey
The vault key whose value will populate the environment variable.
Type:String
envVar
envVar (optional)
The environment variable to set with the value of the vault key.
If field is left empty. The value from vault key will be used for environment variable.
Type:String
isRequired
isRequired (optional)
A toggle to determine if the given Vault secret value must be present in your secret
If checked, the value is required; the plugin will throw an error if the value is not found in the secret.
Type:boolean
engineVersion
engineVersion (optional)
The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
If set to default it will use what is configured on folder or global configuration.
Type:int
configuration (optional)
Nested Object
engineVersion
engineVersion (optional)
The vault K/V engine version. Currently supports versions 1 or 2. (Only applicable when using vaults Key/Value secrets engine. See here)
If set to default it will use what is configured on folder or global configuration.
Type:int
failIfNotFound
failIfNotFound (optional)
Type:boolean
prefixPath
prefixPath (optional)
Type:String
skipSslVerification
skipSslVerification (optional)
Type:boolean
timeout
timeout (optional)
Type:int
vaultCredential
vaultCredential (optional)
Nested Choice of Objects
$class: 'VaultAppRoleCredential'
$class: 'VaultAppRoleCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
roleId
Type:String
secretId
Type:class hudson.util.Secret
path
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultAwsIamCredential'
$class: 'VaultAwsIamCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
mountPath (optional)
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
role (optional)
The IAM role to authenticate with. If this is left blank, Vault will use the role in the sts:GetCallerIdentity response.
Type:String
serverId (optional)
The value to supply in the X-Vault-AWS-IAM-Server-ID header of the sts:GetCallerIdentity request. This must match the value configured in the Vault AWS IAM auth method if the header is required.
Type:String
$class: 'VaultGCPCredential'
$class: 'VaultGCPCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
role
Type:String
audience
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultGithubTokenCredential'
$class: 'VaultGithubTokenCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
accessToken
Type:class hudson.util.Secret
mountPath (optional)
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultKubernetesCredential'
$class: 'VaultKubernetesCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
role
Type:String
mountPath (optional)
Type:String
namespace (optional)
The Vault Namespace the mount path is located. If the auth mount path is on the root namespace use "/", if namespace is empty the global namespace or credential namespace will be used if specified.
Note: Namespaces are a feature of Vault Enterprise.
Type:String
$class: 'VaultTokenCredential'
$class: 'VaultTokenCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.
Type:String
token
Type:class hudson.util.Secret
$class: 'VaultTokenFileCredential'
$class: 'VaultTokenFileCredential'
scope
Determines where this credential can be used.
System
This credential is only available to the object on which the credential is associated. Typically you would use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
Global
This credential is available to the object on which the credential is associated and all objects that are children of that object. Typically you would use global-scoped credentials for things that are needed by jobs.
In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations.
Values:SYSTEM, GLOBAL, USER
id
An internal unique ID by which these credentials are identified from jobs and other configuration. Normally left blank, in which case an ID will be generated, which is fine for jobs created using visual forms. Useful to specify explicitly when using credentials from scripted configuration.
Type:String
description
An optional description to help tell similar credentials apart.