Chapter 5. Access and Security

Being able to create pipelines-as-code offers enormous potential and flexibility. In Scripted Pipelines, calls to any Groovy construct or Jenkins functionality or external method can be keyed into the pipeline script. However, that also significantly increases the ability to accidentally or intentionally do something within the code for a pipeline that shouldn’t be done. So, security has to be a first-class concern—and a first-class feature—for both pipelines and the Jenkins environment they are created and run in.

In this chapter, we’ll survey the different ways that Jenkins has for controlling access and security. We’ll first look at the overall security options, then we’ll survey the traditional credentials mechanisms that Jenkins offers and how to use those in pipelines.

After that, we’ll do a deeper dive into the advanced functionality available via the Role-Based Access Control (RBAC) plugin. We’ll then explore how Jenkins can integrate with Vault, a modern approach to storing credentials with a limited lifetime.

Finally, we’ll see what new features Jenkins 2 provides for ensuring that the steps in a pipeline have only the appropriate access and are executed in an approved context.

Let’s start off by looking at the most basic options for securing Jenkins once it’s installed.