Passing credential into Powershell - interpolation challenges

I am trying to send a credential into the Run-ScriptBlockImpersonated command below. I am new to Jenkins (Version 2.492.2 on Windows) and cannot seem to get the password in as a variable. Any glaring errors here?

pipeline {
    agent any
    stages {
        stage('Cred Test') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'CREDNAME', passwordVariable: 'impersonation_userpw', usernameVariable: 'impersonation_username')]) {
                    
                    echo pwsh(returnStdout: true, script: '''
                        . $PROFILE
                        $pw = $env:impersonation_userpw
                        Write-Host $PW.length
                        Write-Host $env:impersonation_userpw.length
                        Write-Host "Run-ScriptBlockImpersonated -Username $env:impersonation_username -Password $($env:impersonation_userpw) -LogonType 4"

I’ve tried some other variations. From everything I see, my environment/shell variable (at the process level) is being set to “*** Not Valid For Display ***”, so no matter how I access it from with the script, the actual value isn’t available.

pipeline {
    agent any
    stages {
        stage('Cred Test') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'xxxx', passwordVariable: 'impersonation_userpw', usernameVariable: 'impersonation_username')]) {
                    pwsh(returnStdout: true, script: '''
                        # . $PROFILE
                        $pw = \$env:impersonation_userpw
                        Write-Warning "# $pw"

                        Write-Host $(Get-ChildItem Env: | %{
                            $len = [Math]::Min(10,$_.Value.Length)
                            "{0}`t{1}....`r`n" -f $_.Name,$_.Value.substring(0,$len)}
                        )

The variable dump in that build just shows:

 HUDSON_HOME	C:\data\Je....
 HUDSON_SERVER_COOKIE	015d679e37....
 HUDSON_URL	http://loc....
 impersonation_username	svc-se......
 impersonation_userpw	*** Not Va....
 JAVA_HOME	C:\Program....
 JENKINS_HOME	C:\data\Je....
 JENKINS_NODE_COOKIE	4573f16f-0....
 JENKINS_SERVER_COOKIE	durable-bf....
 JENKINS_URL	http://loc....
 JOB_BASE_NAME	Pipeline D....

hmm I tried it on windows with powershell step instead of pwsh and that works just fine. The String *** Not Valid For Display *** is not coming from Jenkins or any of the plugins I think , so don’t know what the problem might be.
Is that credential one that is coming via thycotic or is it a plain username/password credential in Jenkins

It is coming from Thycotic. Are there different rules for that?

Don’t know, I found the String *** Not Valid For Display *** in the context of thycotic, so my assumption is that you’re not allowed to use that password from thycotic in this way.
You could check if the problem is the same when you use a freestyle project and try to use that secret there.
And then create a normal credential in Jenkins and check if this works.

Yes, this is definitely related to the Thycotic plugin. Thank you for that tip. Where had you seen this mentioned before? I’ve opened https://issues.jenkins.io/browse/JENKINS-75422 but will close it if this is open elsewhere.

Normal/Jenkins-stored username+password:
Password’s first few characters revealed if I print the variables:

 HUDSON_URL	http://loc....
 impersonation_username	netspar....
 impersonation_userpw	S%0E-fM....

Thycotic plugin password:

 HUDSON_URL	http://loc....
 impersonation_username	svc-secops....
 impersonation_userpw	*** Not Va....

https://docs.delinea.com/online-help/web-pasword-filler-3-6-x/resources/pdf/web-password-filler-3.6.x.pdf

1 Like

btw I guess it’s not directly the plugin that sets this value but when the plugin communicates with the thycotic secret server, it gets this as the value for the password.

@mawinter69 , you are correct. I ultimately learned that Secret Server was masking the password because I had this combination of settings applied to the secret:

  • a “launcher” was configured on the secret template
  • the secret policy was set to “Hide launcher password"

Once I removed the launcher from the secret, Secret Server coughed up the password.

1 Like