How to view all Jenkins Secrets/Credentials


I recently worked on a Project that required migrating Jenkins credentials to another credentials store, going to each credential and viewing and subsequently decrypting the credential turned into a real chore and I needed a way to do this all in one go.

Luckily we can access credentialsStore using Jenkins script console, so:

  1. In Jenkins, go to: /script page.
  2. Run the following command:

import jenkins.model.*
import com.cloudbees.plugins.credentials.*
import com.cloudbees.plugins.credentials.impl.*
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import org.jenkinsci.plugins.plaincredentials.StringCredentials
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl

def showRow = { credentialType, secretId, username = null, password = null, description = null ->
println("${credentialType} : ".padLeft(20) + secretId?.padRight(38)+" | " +username?.padRight(20)+" | " +password?.padRight(40) + " | " +description)

// set Credentials domain name (null means is it global)
domainName = null

credentialsStore = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0]?.getStore()
domain = new Domain(domainName, null, Collections.<DomainSpecification>emptyList())

if(it instanceof UsernamePasswordCredentialsImpl)
showRow("user/password",, it.username, it.password?.getPlainText(), it.description)
else if(it instanceof BasicSSHUserPrivateKey)
showRow("ssh priv key",, it.passphrase?.getPlainText(), it.privateKeySource?.getPrivateKey()?.getPlainText(), it.description)
else if(it instanceof StringCredentials)
showRow("secret text",, it.secret?.getPlainText(), '', it.description)
else if(it instanceof FileCredentialsImpl)
showRow("secret file",, it.content?.text, '', it.description)
showRow("something else",, '', '', '')



Lo and behold, the contents of your credentialsStore laid bare before your eyes, a security nightmare but that is a talk for another day.

By Dennis Otugo

Dennis Otugo is a Consultant at Bantrain, and loves all things DevOps. In his role, he enables enterprise customers in their digital transformation journey and helps architect cloud-native solutions