Configuring a Jenkins Pipeline for Fetching Secrets

This topic explains how to configuring a dedicated pipeline in Jenkins to fetch secrets from Secret Server. Configuring a dedicated pipeline in Jenkins for fetching secrets involves the following tasks:

Create a credential in Jenkins to store the username and password of the Secret Server application account. The Delinea Secret Server Plugin uses the username and password of the Secret Server application account to connect to your Secret Server instance. For information about creating a credential in Jenkins, see Creating a Credential for the Secret Server Application Account in Jenkins.
Create a pipeline. In the pipeline configuration, you must specify the secret that you want to access in Secret Server and the secret fields whose values you want to retrieve into Jenkins. Find the instructions on creating a pipeline in the following section.

Creating a Pipeline

In the pipeline configuration, you must define environment variables for the secrets field whose values you want to fetch. For example, if you want to fetch the values of the username and password fields from the secret, define an environment variable for each field. When you run the pipeline, the build script will reference the environment variables and retrieve the values of the specified fields from the secret in Secret Server.

To create a Jenkins pipeline:

Log in to Jenkins.
From the Jenkins Dashboard, and select New Item.
On the New Item page, enter a name for the pipeline, select Freestyle project as the pipeline project type, and select OK.
In the side pane of the pipeline configuration page, select Build Environment.
In the Build Environment section, select Use Delinea Secret Server Secrets and provide the following settings:
- Secret ID: The ID of the secret that you want to fetch through the pipeline.
- Environment Variable: Define an environment variable for each field in the secret that you want to fetch by following the steps below. For examples of environment variables, see the image below.
  1. In the Environment Variable box, enter an environment variable name (for example, username) for a secret field, as shown in the image under step 6.
  2. In the Field box below, enter the slug name associated with the secret field.
    
    A field slug name in Secret Server is a unique human-readable identifier for a data field in a secret template. Field slug names are used for integrating with third-party applications via API calls. You can look up the slug name of a secret field on the Fields tab of the secret template page. For more information about field slug names, see Field Slug Names in the Secret Server documentation.
  3. Repeat steps a–b to define an environment variable (for example, password) for another secret field.
  4. To define an environment variable for an additional secret field, select another item Mapping and repeat steps a–b.
- Credential: Select the username and password of the Secret Server application account from the credential that you created in Jenkins.
  
  If you haven't created a credential for the Secret Server application account yet, you can create one from the Build Environment section. In the Credential list, select none; under the Credential list, select Add and then Jenkins; and in the Add Credentials dialog, provide the details for the credential. For more information, see Creating a Credential for the Secret Server Application Account in Jenkins.
- Base URL: Provide the URL of your Secret Server instance.
In the Build Steps section, provide the PowerShell script that references the environment variables for the secret fields. To reference the environment variables in the script, put a TSS_ prefix before the environment variable name, as shown in the example below.

Select Save to save the pipeline project.

The pipeline project view page opens. From this page, you can run the pipeline to have Jenkins automatically fetch the specified secret field values from Secret Server and use them in your Jenkins builds. For more information about running the pipeline, see Verification.