itsecureadmin.com

Jenkins: Migrating credentials…

by

Josh
in

Thanks to CloudBees for providing a great guide on how to migrate Jenkins credentials – makes it dead simple.

1. Stop Jenkins on new server.

new-server # /etc/init.d/jenkins stop

2. Remove the identity.key.enc file on new server:

new-server # rm identity.key.enc

3. Copy secret* and credentials.xml to new server.

current-server # cd /var/lib/jenkins
current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml
current-server # scp credentials.tgz $user@$new-server:/tmp/

new-server # cd /var/lib/jenkins
new-server # tar xzvf /tmp/credentials.tgz -C ./

4. Start Jenkins.

new-server # /etc/init.d/jenkins start

RE: https://support.cloudbees.com/hc/en-us/articles/115001634268-How-to-migrate-credentials-to-a-new-Jenkins-instance-

Comments

12 responses to “Jenkins: Migrating credentials…”

  1. Eric Avatar
    Eric

    Just an FYI that you might also need to confirm file ownership and privileges after you copy in the files from the old server. If permissions are incorrect, the credentials file doesn’t get loaded.

  2. Traiano Avatar
    Traiano

    How do we migrate from an old Jenkins server to an already in-use Jenkins server? Will deleting the “identity.key.enc” not result in existing credentials in the “new” Jenkins server becoming inaccessible ?

  3. Josh Avatar
    Josh

    Hi Traiano,

    I wouldn’t follow this procedure for that scenario. I’d prefer to switch to deploying credentials with a configuration management solution, and I use puppet, so I’d add the credentials to an eyaml file (encrypted yaml), and then deploy using groovy scripts that I’d push to the server, and then call using curl within an exec line.

    Thanks,
    Josh

  4. Diego Nunez Silva Avatar
    Diego Nunez Silva

    Worked nicely! Thanks for sharing!

  5. Bilal Baqar Avatar
    Bilal Baqar

    Regarding deploying credentials via configuration management. Does that mean you are writing credentials.xml via puppet?

  6. Josh Avatar
    Josh

    Hi Bilal,

    I add new credentials using puppet by deploying script files to get parameters from AWS system manager parameter store for credentials (using bash or ruby) and make available to puppet as facts. I then deploy groovy scripts to check and add these credentials to Jenkins, if they do not exist. This makes it so that I don’t have to restart Jenkins after running puppet – that would be an anti-pattern.

    I’ve worked with teams who have required a Jenkins restart on running configuration management and it’s a painful way to work. Don’t do it!

    Thanks,
    Josh

  7. Anil Kiran Avatar
    Anil Kiran

    Hi Josh,

    I have 3-4 jenkins instances which have their set of separate credentials in it. I wanted to use all of the available credentials across the jenkins machines.
    How can I achieve this?
    Should I use any valut or secret management tool which will store all the creds in one place and use that tool with the jenkins machines to retrieve the available creds?
    All I want to do is club the available creds in one place and retrieve them from jenkins machine

    Thanks,
    Anil

  8. Josh Avatar
    Josh

    Hi Anil,

    I would use encrypted yaml (eyaml) with puppet that would allow me to store the credentials in a git repository (encrypted) and deploy them to each Jenkins instance using a groovy script.

    Here is a very recent article by CloudBees that explains part of the process using the REST API to update credentials:
    https://support.cloudbees.com/hc/en-us/articles/360030526992-How-to-manage-Credentials-via-the-REST-API

    Here is the API reference to managing credentials using the REST API:
    https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc#rest-api

    Thanks,
    Josh

  9. Copy jenkins credentials from another server – DevOPs Diary

    […] Reference […]

  10. Doug Avatar
    Doug

    Seems as though there in no longer a credentials.xml. What would be the process in newer systems?

    com.cloudbees.hudson.plugins.folder.config.AbstractFolderConfiguration.xml jobs
    config.xml logs
    hudson.model.UpdateCenter.xml nodeMonitors.xml
    hudson.plugins.emailext.ExtendedEmailPublisher.xml nodes
    hudson.plugins.git.GitTool.xml org.jenkinsci.plugins.workflow.flow.FlowExecutionList.xml
    hudson.tasks.Ant.xml plugins
    hudson.tasks.Maven.xml queue.xml.bak
    identity.key.enc secret.key
    jenkins.install.InstallUtil.lastExecVersion secret.key.not-so-secret
    jenkins.install.UpgradeWizard.state secrets
    jenkins.model.JenkinsLocationConfiguration.xml updates
    jenkins.mvn.GlobalMavenConfig.xml userContent
    jenkins.security.QueueItemAuthenticatorConfiguration.xml users
    jenkins.security.UpdateSiteWarningsConfiguration.xml war
    jenkins.security.apitoken.ApiTokenPropertyConfiguration.xml workflow-libs
    jenkins.telemetry.Correlator.xml workspace

  11. Josh Avatar
    Josh

    Hi Doug,

    Take a look at the users directory in that location where you pasted the file listing from. You should see a directory for each user, as well as a config.xml inside that directory with user details located there. The users.xml is an index of current users.

    I created an admin user on install and I see the following:

    jenkins@122e2de7e259:~$ ls -lah users
total 16K
drwxr-xr-x  3 jenkins jenkins 4.0K Jun 29 22:32 .
drwxr-xr-x 15 jenkins jenkins 4.0K Jun 29 22:32 ..
drwx------  2 jenkins jenkins 4.0K Jun 29 22:32 admin_11383069947132392194
-rw-r--r--  1 jenkins jenkins  301 Jun 29 22:32 users.xml
jenkins@122e2de7e259:~$ ls -lah users/admin_11383069947132392194/
total 12K
drwx------ 2 jenkins jenkins 4.0K Jun 29 22:32 .
drwxr-xr-x 3 jenkins jenkins 4.0K Jun 29 22:32 ..
-rw-r--r-- 1 jenkins jenkins 2.2K Jun 29 22:32 config.xml

    I’d try copying those files over first. Let me know if it works.

    Thanks,
    Josh

  12. Ciup Avatar
    Ciup

    Worked for me. Thanks man! Of course my Jenkins servers are on Windows but the steps are alike.

Leave a Reply

Your email address will not be published. Required fields are marked *