Recipe how to recover Jenkins plain secret text credential via the web user interface

Everyone knows this situation - you’ve configured Jenkins to handle webhooks and you’ve forgotten the plain text secret that is used to authenticate your GitLab or BitHub WebHooks that should trigger Jenkins jobs on pushes to different branches of your repositories and would have to configure a new one. In this case one has three possible routes that one can take now:

• Simply create another credential that is allowed to trigger WebHooks
• Change the old credential to a new random value and reconfigure all existing repositories that are allowed to trigger Jenkins actions
• Just recover the secret using the webinterface

On first sight it doesn’t look like Jenkins would expose the plain text secret - GitHub never does for example as one would expect a webservice to do. But in the Jenkins UI there is a solution:

• Access your credentials store using Manage Jenkins -> Manage credentials
• Select the plain key that you want to recover by selecting it’s name
• Navigate to Update. Then the key is shown as Concealed as one would expect.
• Now select Change password and inspect the element using your browser. This should look somewhat like {AQAAABAAAAAwDBdOTwDoluIDh9ZxGn6nAQsy+JWp9M1MSYsGcpQS5/BRM09YSqWQBDb+O77fbyOcURKSwcgxZguYU0TqXHG01g==}

This can easily be decrypted using the Jenkins script console that’s accessible at /script. Just use the following short script command using the previously recovered encrypted credential:

println hudson.util.Secret.decrypt("{AQAAABAAAAAwDBdOTwDoluIDh9ZxGn6nAQsy+JWp9M1MSYsGcpQS5/BRM09YSqWQBDb+O77fbyOcURKSwcgxZguYU0TqXHG01g==}")

The plain test secret will be shown in the results.

This article is tagged:

• Jenkins
• Basics
• Tutorial