Configuring the Credential Resolver

With Secret Server-Jenkins Integration, you can directly access and reference secrets in Secret Server. The integration uses the Delinea Secret Server Plugin in Jenkins to retrieve secrets from Secret Server and store them in the Jenkins global credentials store or in a folder in Jenkins.

Configuring a credential resolver in Jenkins involves the following tasks:

  • Create a credential in Jenkins to store the username and password of the Secret Server application account. The Delinea Secret Server Plugin uses the username and password of the Secret Server application account to connect to your Secret Server instance. For information about creating a credential in Jenkins, see Creating a Credential for the Secret Server Application Account in Jenkins.

  • Create a credential resolver configuration in Jenkins. Find the instructions on creating a credential resolver configuration in the following section.

Creating a Credential Resolver Configuration

If you want to use a credential resolver in Jenkins to directly access and store secrets fetched from Secret Server, you must create a credential of the Secret Server Vault type in Jenkins. The Secret Server vault credential provides the credential resolver configuration needed to access a secret in Secret Server, including the URL of Secret Server, the username and password of the application account in Secret Server, and the secret ID.

By using the credential resolver configuration, the Delinea Secret Server Plugin accesses the specified secret in Secret Server and retrieves the values of the specified secret fields (for example, username and password) into the corresponding fields in the credential resolver.

The Delinea Secret Server Plugin fetches only the values of the username and password fields in a secret or the values of equivalent fields, such as client id and client secret, from a secret that uses a custom secret template.

To create the credential resolver configuration:

  1. Log in to Jenkins.

  2. From the Jenkins Dashboard, navigate to Manage Jenkins > Credentials > System > Global credentials.

    Creating the credential resolver configuration in this path will store the credentials fetched from a secret in Secret Server in the Jenkins global credentials store, which is accessible by all Jenkins users. You can secure the fetched credentials by storing them in a specific folder in Jenkins and giving only certain users access to that folder. For more information, see Configuring Folder-Specific Credentials.

  3. In the upper-right corner of the Global credentials page, select Add Credentials.

  4. In the Kind drop-down list, select Secret Server Vault Credentials.

  5. Enter the following details:

    • Scope: Select Global or System.

      For a description of these Scope options, see the Jenkins documentation.

    • (Optional) ID: Enter a unique ID for the credential. If you leave this box blank, Jenkins will assign a globally unique ID (GUID) value to the credential as its credential ID.

    • Username: Leave this box blank. The Delinea Secret Server Plugin will fetch the value of the username field from the secret into this box.

    • Username Slug: Provide the slug name of the user name from the secret you want to retrieve from Secret Server.

      • A field slug name in Secret Server is a unique human-readable identifier for a data field in a secret template. Field slug names are used for integrating with third-party applications via API calls. You can look up the slug name of a secret field on the Fields tab of the secret template page. For more information about field slug names, see Field Slug Names in the Secret Server documentation.

      • User Slug must point to the secret field that holds the username or its equivalent. For example, if the secret uses a custom secret template with Client ID and Client Secret fields, provide the slug name for the Client ID field in Username Slug.

    • Password: Leave this box blank. The Delinea Secret Server Plugin will fetch the value of the password field from the secret into this box.

    • Password Slug: Provide the slug name of the password field from the secret you want to retrieve from Secret Server.

      Password Slug must point to the secret field that holds the password or its equivalent. For example, if the secret uses a custom secret template with Client ID and Client Secret fields, provide the slug name for the Client Secret field in Password Slug, as shown in the image under step 6.

    • Secret Server URL: Specify the URL of your Secret Server instance.

    • Secret ID: Provide the secret ID to fetch.

    • Secret Server Application Account: Select the username and password of the Secret Server application account from the credential that you created in Jenkins.

  6. To validate the configuration and test the connection to Secret Server, select Test Connection.

    If the connection is successful, a Connection successful message appears. Otherwise, an error message is displayed.

  7. To access the secret from Secret Server after a successful connection test, select Create.

    The values of the specified secret fields are fetched from the secret into the Username and Password boxes respectively, as shown in the image below.

The fetched credentials are now stored in the credential resolver, and you can reference them in Jenkins by fetched username/password (password replaced with asterisks) wherever credentials of the type Usename/Password are required.