Passing credential into Powershell - interpolation challenges

hukel · March 11, 2025, 11:38pm

I am trying to send a credential into the Run-ScriptBlockImpersonated command below. I am new to Jenkins (Version 2.492.2 on Windows) and cannot seem to get the password in as a variable. Any glaring errors here?

pipeline {
    agent any
    stages {
        stage('Cred Test') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'CREDNAME', passwordVariable: 'impersonation_userpw', usernameVariable: 'impersonation_username')]) {
                    
                    echo pwsh(returnStdout: true, script: '''
                        . $PROFILE
                        $pw = $env:impersonation_userpw
                        Write-Host $PW.length
                        Write-Host $env:impersonation_userpw.length
                        Write-Host "Run-ScriptBlockImpersonated -Username $env:impersonation_username -Password $($env:impersonation_userpw) -LogonType 4"

hukel · March 12, 2025, 11:58am

I’ve tried some other variations. From everything I see, my environment/shell variable (at the process level) is being set to “*** Not Valid For Display ***”, so no matter how I access it from with the script, the actual value isn’t available.

pipeline {
    agent any
    stages {
        stage('Cred Test') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'xxxx', passwordVariable: 'impersonation_userpw', usernameVariable: 'impersonation_username')]) {
                    pwsh(returnStdout: true, script: '''
                        # . $PROFILE
                        $pw = \$env:impersonation_userpw
                        Write-Warning "# $pw"

                        Write-Host $(Get-ChildItem Env: | %{
                            $len = [Math]::Min(10,$_.Value.Length)
                            "{0}`t{1}....`r`n" -f $_.Name,$_.Value.substring(0,$len)}
                        )

The variable dump in that build just shows:

 HUDSON_HOME	C:\data\Je....
 HUDSON_SERVER_COOKIE	015d679e37....
 HUDSON_URL	http://loc....
 impersonation_username	svc-se......
 impersonation_userpw	*** Not Va....
 JAVA_HOME	C:\Program....
 JENKINS_HOME	C:\data\Je....
 JENKINS_NODE_COOKIE	4573f16f-0....
 JENKINS_SERVER_COOKIE	durable-bf....
 JENKINS_URL	http://loc....
 JOB_BASE_NAME	Pipeline D....

mawinter69 · March 12, 2025, 12:55pm

hmm I tried it on windows with powershell step instead of pwsh and that works just fine. The String *** Not Valid For Display *** is not coming from Jenkins or any of the plugins I think , so don’t know what the problem might be.
Is that credential one that is coming via thycotic or is it a plain username/password credential in Jenkins

hukel · March 12, 2025, 3:57pm

It is coming from Thycotic. Are there different rules for that?

mawinter69 · March 12, 2025, 5:28pm

Don’t know, I found the String *** Not Valid For Display *** in the context of thycotic, so my assumption is that you’re not allowed to use that password from thycotic in this way.
You could check if the problem is the same when you use a freestyle project and try to use that secret there.
And then create a normal credential in Jenkins and check if this works.

hukel · March 13, 2025, 11:24am

Yes, this is definitely related to the Thycotic plugin. Thank you for that tip. Where had you seen this mentioned before? I’ve opened https://issues.jenkins.io/browse/JENKINS-75422 but will close it if this is open elsewhere.

Normal/Jenkins-stored username+password:
Password’s first few characters revealed if I print the variables:

 HUDSON_URL	http://loc....
 impersonation_username	netspar....
 impersonation_userpw	S%0E-fM....

Thycotic plugin password:

 HUDSON_URL	http://loc....
 impersonation_username	svc-secops....
 impersonation_userpw	*** Not Va....

mawinter69 · March 13, 2025, 8:29pm

https://docs.delinea.com/online-help/web-pasword-filler-3-6-x/resources/pdf/web-password-filler-3.6.x.pdf

mawinter69 · March 13, 2025, 9:06pm

btw I guess it’s not directly the plugin that sets this value but when the plugin communicates with the thycotic secret server, it gets this as the value for the password.

hukel · March 24, 2025, 9:02pm

@mawinter69 , you are correct. I ultimately learned that Secret Server was masking the password because I had this combination of settings applied to the secret:

a “launcher” was configured on the secret template
the secret policy was set to “Hide launcher password"

Once I removed the launcher from the secret, Secret Server coughed up the password.

Topic		Replies	Views
Jenkins Credential Interpolation issue within shell script Ask a question question	1	1177	July 15, 2023
Credentials Error Ask a question question , pipeline	2	2432	April 22, 2023
Using safely Credentials in shell commands? Ask a question	3	4062	December 27, 2023
Problems with % in a credential Using Jenkins question	8	5754	February 3, 2022
In withCredentials() block get username and password variables' names Using Jenkins question	2	2657	May 10, 2024

Passing credential into Powershell - interpolation challenges

Related topics