Configuring a Credential Resolver

Step 1: Creating a Credential in Jenkins

You must create a credential in Jenkins to securely store the username and password of the application account or service user that you created in Secret Server or on the Delinea Platform. The Delinea Secret Server Plugin uses the Secret Server application account or the Platform service user credential to connect to your Secret Server or Platform instance.

To create a credential for the application account or Platform service user name and password:

  1. Log in to Jenkins.
  2. From the Jenkins Dashboard, navigate to Manage Jenkins > Credentials > System > Global credentials.
  3. Creating a credential in this path will store the Secret Server application account or Platform service username and password in the Jenkins global credentials store, which is accessible by all Jenkins users.
  4. In the upper-right corner of the Global credentials page, select Add Credentials.
  5. In the New credentials dialog, provide the following details:
    • Kind: Select Delinea Secret Server User or Platform Service Account Credentials.
    • Scope: Select Global or System.
    • Username: Enter the username.
    • Treat username as secret: Select this checkbox as needed.
    • Password: Enter the password.
    • (Optional) ID: Enter a unique ID.
    • (Optional) Description: Enter a description.
  6. Select Create.

Step 2: Use Case for Creating the Credential Resolver Configuration

A credential resolver retrieves two secret fields (username and password or equivalents) and stores them in a Jenkins credential. The Delinea Secret Server Platform Plugin retrieves these fields automatically.

Configuring a credential resolver in Jenkins involves the following tasks:

  • Create a credential in Jenkins to store the username and password of the Secret Server application account or Platform service account.

  • Create the credential resolver configuration. Find the instructions on creating a credential resolver configuration in the following section.

To create the credential resolver configuration:

  1. Log in to Jenkins.
  2. Navigate to Manage Jenkins > Credentials > System > Global credentials.

Creating the resolver in this path stores the fetched credentials in the global Jenkins credentials store. You may instead store it in a folder for restricted access.

  1. Select Add Credentials.
  2. Select Delinea Secret Server or Platform Vault Credentials as the Kind.
  3. Enter the following details:
  • Scope: Global or System.
  • ID (optional): Unique ID.
  • Username: Leave blank — auto-populated.
  • Username Slug: Slug name of the username field.

A slug name is a human-readable identifier for a field in a secret template. It appears on the Fields tab of the secret template in Secret Server or Platform.

If using a custom template (Client ID / Client Secret), use the Client ID slug for Username Slug.

  • Password: Leave blank — auto-populated.
  • Password Slug: Slug name of the password field.
  • Secret Server/Platform URL: URL of your instance.
  • Secret ID: ID of the secret to fetch.
  • Secret Server Application Account/Platform Service Account: Select the credential created earlier.
  • Use Delinea Proxy Settings: Optional.

  • Configure:

    • Proxy Host

    • Proxy Port

    • Username (optional)

    • Password (optional)

    • No Proxy Hosts (comma-separated)

Proxy Behavior:

  1. All outbound calls use Delinea-specific proxy settings.
  2. If proxy credentials exist, authentication is attempted.
  3. Hosts in No Proxy list bypass the proxy.
  4. If Delinea proxy isn't configured, Jenkins global proxy is used.
  5. If both are set, Delinea proxy overrides.

Select Test Connection to validate. A success message appears if configuration is correct.

Select Create to fetch the fields into the resolver credential. These values can now be used anywhere Jenkins requires username/password credentials.

Step 3: Configuring Folder-Specific Credentials (Optional)

This topic describes how to store credentials in a specific folder in Jenkins so that only authorized users can access those credentials. The topic also describes how to give users folder-level permissions to the folder that contains the credentials. These steps involve Jenkins-specific configuration settings and are not related to the plugin itself.

You must install the Role-Based Strategy in Jenkins. By using the Role-Based Strategy plugin, you can effectively manage folder-level access and permissions for credentials, ensuring secure and organized credential management.

Configuring folder-level access involves setting up appropriate folder-level roles and permissions in Jenkins and assigning those roles to users.

To configure folder-specific credentials:

  1. In Jenkins, create the folder where you want to store the credentials.

    Below is an example of a Credential Resolver configuration. You can also configure folder-specific

    credentials for use during builds.

  2. From the Jenkins Dashboard, navigate to the created folder and then navigate to Credentials > Folder > Global credentials.

  3. On the folder-specific Global credentials page, create a credential to store the Secret Server application account or Platform service user username and password or create a credential resolver configuration.

    For detailed instructions on how to create a credential resolver configuration, see Configuring a Credential Resolver (begin from step 3).

  4. Install the Role-Based Strategy plugin:

    1. Navigate to Manage Jenkins > Plugins > Available plugins.

    2. Search for Role-Based Strategy and install the displayed plugin.

  5. Enable role-based strategy:

    1. Go to Manage Jenkins > Security.

    2. In the Authorization list, select the Role-Based Strategy option.

    3. Select Save.

  6. Set up the folder-level roles and permissions:

    1. Navigate to Manage Jenkins > Manage and Assign Roles > Manage Roles.

    2. Under the Global roles section, select Add to create a new role and assign it to the Overall > Read permission.

      The image below shows example roles "roleforTestUser1" and "roleforTestUser2."

    3. Under the Item roles section, assign the roles at least the Create Credentials permission and other required permissions (for example, Read, Build, Configure) and specify folder patterns in the Pattern column to apply them to specific folders.

      The folder pattern must match the folder name. The image below shows the folder patterns for example "AppUser1" and "AppUser2" folders.

    4. Select Save.

  7. Assign the roles to users or groups:

    1. Navigate to Manage Jenkins > Manage and Assign Roles > Assign Roles.

    2. Assign the roles to users or groups as needed.

    3. Select Save to save the role assignments to users or groups.

    Now only the users and groups that have these folder-level roles can access the secrets stored in the folder.