How to make Jenkinsfile credential visible to many stages

Question

In Jenkinsfile, I want to make an ssh key visible to all stages in the pipeline.

From the official document, I learned that:

1. environment directive is used to defy environment variables for used within Jenkinsfile
2. The scope of the variables defined depends on the placement of the environment directive
3. One can set the some types of credentials insideenvironment directive with the help of the credentials helper
4. The types of credentials supported by the helper are:
   • Secret text
   • Usernames and passwords
   • Secret files

For other types of credentials, the document suggests using the snippet generator, which generates a step.

Example of an ssh key step

withCredentials([sshUserPrivateKey(credentialsId: 'jenkins_aws_to_bitbucket', keyFileVariable: 'BITBUCKET_PRV_KEY')]) {
    // some block
}

This is meant to be used in a stage like:

pipeline {
    agent {
        // define agent details
    }
    stages {
        stage('Example stage 1') {
            steps {
                withCredentials(bindings: [sshUserPrivateKey(credentialsId: 'jenkins-ssh-key-for-abc', \
                                                             keyFileVariable: 'SSH_KEY_FOR_ABC')]) {
                  // 
                }
                withCredentials(bindings: [certificate(credentialsId: 'jenkins-certificate-for-xyz', \
                                                       keystoreVariable: 'CERTIFICATE_FOR_XYZ', \
                                                       passwordVariable: 'XYZ-CERTIFICATE-PASSWORD')]) {
                  // 
                }
            }
        }
        stage('Example stage 2') {
            steps {
                // 
            }
        }
    }
}

Snippet source

Question

1. If the steps are within a stage, are these credentials visible within other stages?
2. If not, how to make these credentials global ~ visible within all stages

Answer 1

The credentials will only be visible within the block passed to withCredentials, not outside of that. So, no, your credentials will not be visible to other stages. To make your credentials visible to your entire Pipeline:

• If you are using Declarative Pipelines, you can put your credentials in an environment{} block at the top of your Pipeline, as documented in the official Jenkins handbook:

  pipeline {
      agent {
          // Your agent here
      }
      environment {
          MY_ENVIRONMENT_VARIABLE = credentials('my-credentials-id')
      }
      stages {
          // Your stages here
      }
  }
  

• If you use Scripted Pipelines, you can wrap your entire job in withCredentials. This is not possible with Declarative.

Answer 2

I set credential globally in declarative pipeline like this and then my Jenkins could talk with Google Dataflow in all stages. For example, I used a secret file (google service account).

pipeline {
    agent any
    environment {
        //Secret File ID was defined in Jenkins -> Credentials -> System -> Global credentials
        GOOGLE_APPLICATION_CREDENTIALS = credentials('mySecretFileId')

        GCP_PROJECT_NAME = 'myProject'
    }
   stages {
             stage('step 1') {
              steps {
                sh "gcloud auth activate-service-account --key-file ${env.GOOGLE_APPLICATION_CREDENTIALS}"
                sh "gcloud config set project ${env.GCP_PROJECT_NAME}"

                // access google dataflow
                sh "gcloud dataflow jobs list --status=active"
                // ....
              }
             }
             stage('stage 2') {
               steps {
                  // access google dataflow
                  sh "gcloud dataflow jobs list --status=active"
               }
             }
             //...
   }
}