Credentials Binding Plugin - Not running on the Jenkins controller JVM

Hi all,

I have a pipeline stage below that runs in Kubernetes (not on a jenkins manager node, but on a k8s worker).

        script {
          withVault([configuration: configuration, vaultSecrets: secrets]) {
            sshagent(credentials: ['our-jenkins-git-ssh-key']) {
              /* We push tags and stuff Via Jenkins, dont want to infinitely push */
              def committer        = githubHandler.getCommitAuthor()
              def committer_email  = githubHandler.getCommitEmail()
              env.END_EARLY = (
                committer == "Jenkins" ||
                committer_email == ""
              if (env.BRANCH_NAME == env.MASTER_BRANCH) {
                env.VERSION = sh(
                  returnStdout: true
          println("Setting version specifier for published artifacts to ${env.VERSION}")

As of credentials plugin 6.26, this did work. However, we updated to 6.36, and all of our pipelines are seeing issues similar to the below:

java.lang.IllegalStateException: Not running on the Jenkins controller JVM
	at jenkins.util.JenkinsJVM.checkJenkinsJVM(
	at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(
	at com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter.lambda$decorateLogger$0(
	at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(
	at hudson.console.LineTransformationOutputStream.eol(
	at hudson.console.LineTransformationOutputStream.write(
	at hudson.console.LineTransformationOutputStream.write(
	at java.base/
	at java.base/sun.nio.cs.StreamEncoder.writeBytes(
	at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(
	at java.base/sun.nio.cs.StreamEncoder.flushBuffer(
	at java.base/
	at java.base/
	at java.base/

I’ve seen some feedback about running these steps on the manager node, but that doesn’t really work for our use case. Has anyone come across this and found a good configuration or work around?

We can also remove the corresponding line in the plugin, and build the hpi… but again that doesnt sound awesome.

This relates to this PR - [SECURITY-3075] `getAggregateSecretPattern` to fail when run inside agent JVM by jglick · Pull Request #260 · jenkinsci/credentials-binding-plugin · GitHub

Make sure you have updated your plugins: Release 361.v44fea_4fc08d9 · jenkinsci/hashicorp-vault-plugin · GitHub

Thank you, @jglick ! I’ll give that a try. Cheers!