How to use with declarative pipeline?

[zkanda]

I tried using it with declarative pipeline and it giving me error.

    stage('upload') {
      environment { 
        AN_ACCESS_KEY = credentials('s3-upload-credential') 
      }

      steps {
        sh '''
          printenv
          '''
      }

No suitable binding handler could be found for type com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl. Supported types are StandardUsernamePasswordCredentials,FileCredentials,StringCredentials.

If it's not yet possible, what's the recommended workaround?

[warhod]

I have the same question too. I believe you may have to use scripted pipeline instead of declarative.
There is an example here: #11

withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'dev', variable: 'AWS_ACCESS_KEY_ID']]) {
               sh "echo this is ${env.AWS_ACCESS_KEY_ID}"
               sh "echo this is ${env.AWS_SECRET_ACCESS_KEY}"
       }

I wonder if you can wrap withCredentials in a script {} block to invoke it? Let me know if that works.

[farahfa]

I'm having trouble with this too, there has to be a way to use it in a declarative pipeline!

[betabandido]

I am facing the exactly the same issue. I am starting a new project, and I would certainly like to use a declarative pipeline, but not having support for AWS credentials is a problem.

[brightgarden]

I have done the following and it works:

environment {
    AWS_BIN = '/home/ec2-user/.local/bin/aws'
}
// ...
stage('deploy') {
    steps {
        withCredentials([[
            $class: 'AmazonWebServicesCredentialsBinding',
            credentialsId: 'jenkins',
            accessKeyVariable: 'AWS_ACCESS_KEY_ID',
            secretKeyVariable: 'AWS_SECRET_ACCESS_KEY'
        ]]) {
            sh 'AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} AWS_DEFAULT_REGION=us-east-1 ${AWS_BIN} ecs update-service --cluster default --service test-deploy-svc --task-definition test-deploy:2 --desired-count 0'
            sh 'sleep 1m' // SOOOO HACKY!!!
            sh 'AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} AWS_DEFAULT_REGION=us-east-1 ${AWS_BIN} ecs update-service --cluster default --service test-deploy-svc --task-definition test-deploy:2 --desired-count 1'
        }
    }
}

[robinvalk]

In addition to @brightgarden's solution I had to use double quotation marks.

sh "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} AWS_DEFAULT_REGION=us-east-1 ${AWS_BIN} ecs update-service --cluster default --service test-deploy-svc --task-definition test-deploy:2 --desired-count 0"

Otherwise the command would result in an script.sh: Bad substitution error. This may have something to do with the fact that I was using a docker container as the agent. Although this is purely guessing...

[red8888]

Is there any status on this? I don't want to have to wrap EVERY call to a script that needs aws access with withCredentials. Also, withCredentials doesn't work with my groovy classes I import that use the aws sdk because withCredentials only injects into external shell environments not the main one the pipeline runs in.

Im going to have to use two regular secret text credentials as a workaround so I have one cred for the ID and one for the access key and I do this:

            environment { 
                AWS_ACCESS_KEY_ID = credentials('ID')
                AWS_SECRET_ACCESS_KEY = credentials('ID')
            }

This is pretty gnarly, disorganized (because I'll have two creds for each aws user), and I can't use the other aws cred provider features like builtin support for assume role. wahhh

[warhod]

Here's another solution/workaround that worked for me.
In Jenkins, save your credentials as username/password pair (instead of AWS credentials)

Then you can define an environment block that maps your creds to key/secret as such:

environment {
  AWS_ID = credentials("AWS_ID")
  AWS_ACCESS_KEY_ID = "${env.AWS_ID_USR}"
  AWS_SECRET_ACCESS_KEY = "${env.AWS_ID_PSW}"
}

[ieugen]

Hi, @warhod

According to the docs [1] the variable names are a bit different. I'm adding this so we don't spread bad knowledge.

    SAUCE_ACCESS containing <username>:<password>
    SAUCE_ACCESS_USR containing the username
    SAUCE_ACCESS_PSW containing the password

I've tested and they work ok with environment block like this (@zkanda: notice environment is placed bellow pipleine not in stage):

pipeline {
  agent any

  environment {
    NEXUS_CREDENTIALS = credentials('jenkins_nexus')
    NEXUS_USER = "${env.NEXUS_CREDENTIALS_USR}"
    NEXUS_PASS = "${env.NEXUS_CREDENTIALS_PSW}"
    KUBECONFIG = credentials('kubernetes-operator_kubernetes')
  }
.  ...

[1] https://jenkins.io/doc/pipeline/tour/environment/

[warhod]

Thanks @ieugen I've updated my example

[wolstena]

Is it possible to add multiple images within a pod.

` agent {

    kubernetes {
        //cloud 'kubernetes'
        label 'aws'

        containerTemplate {
            name 'aws'
            image 'mesosphere/aws-cli:1.14.5'
            ttyEnabled true
            command 'cat'
            envVar {
                key 'AWS_DEFAULT_REGION'
                value "${aws_region}"
            }
        } // containerTemplate

        containerTemplate {
            name 'kubectl'
            image 'lachlanevenson/k8s-kubectl:v1.9.2'
            ttyEnabled true
            command 'cat'
        } // containerTemplate

    } // kubernetes
} // agent

`

I have tried the above but only the last image defined is loaded. A workaround is to define separate agents for each stage.

Cheers

[wolstena]

I solved my issue. This works for multiple containers in a pod.

` options {
timeout(time: 90, unit: 'MINUTES')
timestamps()
disableConcurrentBuilds()
buildDiscarder(logRotator(numToKeepStr:'100'))
podTemplate(label: "kube_aws", containers:[
containerTemplate (name: 'aws',image: 'mesosphere/aws-cli:1.14.5',ttyEnabled: true, command: 'cat'),
containerTemplate(name: 'kubectl', image: 'lachlanevenson/k8s-kubectl:v1.9.2', ttyEnabled: true, command: 'cat' )
])
} //options

agent none

stages {
    stage('Run AWS CLI') {

        agent {
            node {
                label 'kube_aws'
            }
        } // agent

        environment {
            AWS_DEFAULT_REGION = "${aws_region}"
        }

        steps {
            withCredentials([[
                $class: 'AmazonWebServicesCredentialsBinding',
                credentialsId: 'aws-pwolstenholme',
                accessKeyVariable: 'AWS_ACCESS_KEY_ID',
                secretKeyVariable: 'AWS_SECRET_ACCESS_KEY'
            ]]) {             
                container('aws') {
                    sh 'env | sort -u'
                    sh 'aws ec2 describe-instances'
                }
            } // withCredentials
        } // steps

    } // stage

`

[liath]

Just a heads up for any one having weird issues when using withCredentials, I had move all my other lines this steps block into the withCredentials block.

steps {
  tool name: "Node v6.10.3"
  sh 'git clean -qfxd' // Remove all untracked files from previous steps
  withCredentials(bindings: [sshUserPrivateKey(credentialsId: 'ssh-creds', \
                             keyFileVariable: 'SSH_KEY_FOR_NPM_F')]) {
    sh 'eval $(ssh-agent) && ssh-add $SSH_KEY_FOR_NPM_F && npm i && npm run ci-tests'
  }
  junit '**/tap.xml'
}

This fails with bash: /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/Node_v6.10.3/bin/npm: No such file or directory
But this works just fine:

steps {
  withCredentials(bindings: [sshUserPrivateKey(credentialsId: 'ssh-creds', \
                             keyFileVariable: 'SSH_KEY_FOR_NPM_F')]) {
    tool name: "Node v6.10.3"
    sh 'git clean -qfxd' // Remove all untracked files from previous steps
    sh 'eval $(ssh-agent) && ssh-add $SSH_KEY_FOR_NPM_F && npm i && npm run ci-tests'
    junit '**/tap.xml'
  }
}

This was a little baffling but maybe I just missed some docs saying that you are supposed to wrap everything in withCredentials instead of just the lines needing creds. Idk ¯_(ツ)_/¯

[speakmore]

FYI, a successful run in my local jenkins.