Jenkins: Migrating credentials…

Thanks to CloudBees for providing a great guide on how to migrate Jenkins credentials – makes it dead simple.

1. Stop Jenkins on new server.

new-server # /etc/init.d/jenkins stop

2. Remove the identity.key.enc file on new server:

new-server # rm identity.key.enc

3. Copy secret* and credentials.xml to new server.

current-server # cd /var/lib/jenkins
current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml
current-server # scp credentials.tgz $user@$new-server:/tmp/
new-server # cd /var/lib/jenkins
new-server # tar xzvf /tmp/credentials.tgz -C ./

4. Start Jenkins.

new-server # /etc/init.d/jenkins start

RE: https://support.cloudbees.com/hc/en-us/articles/115001634268-How-to-migrate-credentials-to-a-new-Jenkins-instance-

8 thoughts on “Jenkins: Migrating credentials…”

  1. Just an FYI that you might also need to confirm file ownership and privileges after you copy in the files from the old server. If permissions are incorrect, the credentials file doesn’t get loaded.

  2. How do we migrate from an old Jenkins server to an already in-use Jenkins server? Will deleting the “identity.key.enc” not result in existing credentials in the “new” Jenkins server becoming inaccessible ?

  3. Hi Traiano,

    I wouldn’t follow this procedure for that scenario. I’d prefer to switch to deploying credentials with a configuration management solution, and I use puppet, so I’d add the credentials to an eyaml file (encrypted yaml), and then deploy using groovy scripts that I’d push to the server, and then call using curl within an exec line.

    Thanks,
    Josh

  4. Regarding deploying credentials via configuration management. Does that mean you are writing credentials.xml via puppet?

  5. Hi Bilal,

    I add new credentials using puppet by deploying script files to get parameters from AWS system manager parameter store for credentials (using bash or ruby) and make available to puppet as facts. I then deploy groovy scripts to check and add these credentials to Jenkins, if they do not exist. This makes it so that I don’t have to restart Jenkins after running puppet – that would be an anti-pattern.

    I’ve worked with teams who have required a Jenkins restart on running configuration management and it’s a painful way to work. Don’t do it!

    Thanks,
    Josh

  6. Hi Josh,

    I have 3-4 jenkins instances which have their set of separate credentials in it. I wanted to use all of the available credentials across the jenkins machines.
    How can I achieve this?
    Should I use any valut or secret management tool which will store all the creds in one place and use that tool with the jenkins machines to retrieve the available creds?
    All I want to do is club the available creds in one place and retrieve them from jenkins machine

    Thanks,
    Anil

  7. Hi Anil,

    I would use encrypted yaml (eyaml) with puppet that would allow me to store the credentials in a git repository (encrypted) and deploy them to each Jenkins instance using a groovy script.

    Here is a very recent article by CloudBees that explains part of the process using the REST API to update credentials:
    https://support.cloudbees.com/hc/en-us/articles/360030526992-How-to-manage-Credentials-via-the-REST-API

    Here is the API reference to managing credentials using the REST API:
    https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc#rest-api

    Thanks,
    Josh

Leave a Reply

Your email address will not be published. Required fields are marked *