Secure credentials handling on Docker in build step




We have a build step that needs a username and password to be able to connect to another server. This build step needs to run in a docker container since it needs a specific image and installs some packages for testing.


What is the proper way of sending creds to a docker container in a build step since config, system and env parameters aren't sent to the container?

Adding them as export to the args of the container shows them as clear text in the build logs.



Comment actions Permalink

Hi Mats,

TeamCity passes environmental variables from the build configuration to the docker container, but not from the agent. You should be able to use %env.your_var_name% in your script. 

You can then configure specs for this parameter so that it is not displayed as plain-text in logs. Edit such a parameter, click edit in the "Specs" field, select type:Password and display:Hidden For instance:

As a result, such a parameter will be hidden with asterisks in the build log:

  Running step within Docker container kroniak/ssh-client:latest
Starting: /bin/sh -c "docker pull kroniak/ssh-client:latest && . /Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp/ && docker run --rm -w /Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140 --label jetbrains.teamcity.buildId=649 -v "/Users/mikhail.efremov/TeamCity/buildAgent/lib:/Users/mikhail.efremov/TeamCity/buildAgent/lib:ro" -v "/Users/mikhail.efremov/TeamCity/buildAgent/tools:/Users/mikhail.efremov/TeamCity/buildAgent/tools:ro" -v "/Users/mikhail.efremov/TeamCity/buildAgent/plugins:/Users/mikhail.efremov/TeamCity/buildAgent/plugins:ro" -v "/Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140:/Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140" -v "/Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp:/Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp" -v "/Users/mikhail.efremov/TeamCity/buildAgent/temp/buildTmp:/Users/mikhail.efremov/TeamCity/buildAgent/temp/buildTmp" -v "/Users/mikhail.efremov/TeamCity/buildAgent/system:/Users/mikhail.efremov/TeamCity/buildAgent/system" --env-file /Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp/docker-wrapper-5073258648189295363.envList --entrypoint /bin/sh "kroniak/ssh-client:latest" /Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp/"
in directory: /Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140
latest: Pulling from kroniak/ssh-client
Digest: sha256:18429e5cf196e23b7ec67499714d08c213f0e8c364908e619dc75a51ddfb4e81
Status: Image is up to date for kroniak/ssh-client:latest
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
user:******* Permission denied (publickey,password).
Process exited with code 255

The above log snippet stands for a simple command-line build step executed in a docker container. Contents of the script are as follows:


Best regards,

Mikhail Efremov

Comment actions Permalink

Looks like I somehow lost the contents of the script while posting the above reply, my apologies.

ssh -o StrictHostKeyChecking=no

Please sign in to leave a comment.