Jenkins Plugin

The Jenkins plugin adds a build wrapper to set Jenkins environment variables from an Akeyless Vault secret. The secrets are masked in the build log, so you can't accidentally print them.

The Jenkins plugin can also inject vault credentials into a build pipeline or freestyle job for fine-grained vault interactions.

To use the Jenkins plugin, you need to add the Akeyless Vault plugin to Jenkins and enter credentials for authenticating against Akeyless Vault. In this example, we will use an API Key for authentication.


You can use any of the authentication methods supported by Akeyless. Ensure that the authentication method you use is associated with an access role with access to the required secrets.

Configure the Akeyless Vault Plugin in Jenkins

  1. Log in to Jenkins and go to Manage Jenkins > Manage Plugins.
  1. Find and install the Hashicorp Vault plugin.
  1. From the main Jenkins page, select New Item > Freestyle project, then add a name for the project and select OK.
  1. In the Build Environment tab, select the Vault Plugin radio button, then enter your Vault proxy URL.


If you are using a customer key fragment with your Akeyless Vault, enter your Vault URL as configured on the Akeyless Gateway.

  1. To set your Jenkins Vault credentials provider, to the right of the Vault Credentials field, select Add, then select Jenkins.
  1. In the Add Credentials window, from the Kind dropdown list, select Vault Token Credential, then enter your credentials and select Add.


The Token value is a concatenation of your Access ID and your Access Key in the following format:
< Access ID >..< Access Key >

For example:p-jjdbbkbd..njRThf894chsBXnuh

  1. In the Build Environment tab, from the Vault Credential dropdown list, select the new credential, then select Advanced.

  2. Add the following information, then select Add a vault secret:

    • KV Engine Version: Enter 1.
    • Skip SSL verification: Select the checkbox.
  1. Add a dynamic secret or a static secret.

Dynamic Secret

To use your Jenkins Plugin to fetch Dynamic Secrets:

"Path" should be in the following format: Producer Name/creds/Your Secret Name

The returned JSON object will have keys named "password" and "username".

In this example, we are fetching a dynamic secret named "ProdDB" from MySQL producer.


To test the plugin, in Build, click “Execute shell”:


Provide your MySQL server IP, and modify the query etc.

mysql --host <your MySQL server ip>  --port 3306 --user=$USER --password=$PASS -e 'show databases;'
exit 0

Click “Apply” and “Save”.
Click “Build Now” and expect to see the following Console Output:


Static Secrets

To work with Static secrets, the Vault Secret Path should be in this format: secret/data/path to your secret . Where the Key in the returned JSON name is "data".
The below screen demonstrates how to configure a static secrets:


Did this page help you?