Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Bamboo Specs and masked variables

In Bamboo plans we are able to mask plan variables with "password" phrase in variable name. So nobody will be able to see the content.

We are planning to move to Bamboo Specs and therefor plan variables will be define in specs ( Java API ). How can we avoid exposing passwords in specs. 

I was hoping to enter passwords later on using UI but plans created by spec are not editable with UI.


3 answers

2 accepted

4 votes
Answer accepted
Foong Atlassian Team May 17, 2018

Use the following steps to get encrypted password

  1. Create a dummy plan in Bamboo manually through UI
  2. Add the password into the Plan Variable
  3. In the Plan Configuration view, click on Actions > View plan as Java Specs
  4. Look for the password variable - it will be shown in encrypted format
2 votes
Answer accepted

You can use encrypted form of variable value. Try to create plan with "secret" variable and export it to Java Specs, "secret" variable will be encrypted. You can use this value in Specs code and store it at repository. If you want to avoid storing of variable in encrypted form at code, use Global variable 

Hi, @Alexey Chystoprudov@Foong

Great answer for masked variables.  However, I tried this solution for task type 'Artifactory Generic Deploy', it does not work. It seems that for this task type, it takes readable password string instead of encrypted form in 'Deployer Password' field.

As we are checking java spec code into source control, it is highly recommended that the readable password should NOT be part of code. So, do we have a way to let this task type take encrypted password? or, alternatively, is there a way to call any existing functions ( like what env var decrpytion does) to decrypt the password at run time? Or maybe there's other better way to handle this case?


'Artifactory Generic Deploy' Task view through bamboo portal UI


Code snippet corresponding to field 'Deployer password'

 new Stage("Approval and Trigger file upload")
.jobs(new Job("Approval And TF Artifactory Upload",
new BambooKey("*****")) //masked info
.tasks(new VcsCheckoutTask()
.description("Capture script from BB")
.checkoutItems(new CheckoutItem().defaultRepository()),
new ScriptTask()
.description("Approval Notification")
.finalTasks(new AnyTask(new AtlassianModule("org.jfrog.bamboo.bamboo-artifactory-plugin:artifactoryGenericTask"))
.description("deliver trigger file to qa artifactory")
.configuration(new MapBuilder()
.put("artifactory.generic.publishBuildInfo", "true")
.put("bintrayConfiguration", "")
.put("bintray.licenses", "")
.put("bintray.repository", "")
.put("artifactory.generic.username", "******") //masked info
.put("artifactory.generic.specSourceChoice", "jobConfiguration")
.put("artifactory.generic.resolveRepo", "")
.put("artifactory.generic.deployPattern", "")
.put("artifactory.generic.envVarsExcludePatterns", "*password*,*secret*,*security*,*key*")
.put("bintray.signMethod", "false")
.put("builder.artifactoryGenericBuilder.artifactoryServerId", "0")
.put("bintray.subject", "")
.put("artifactory.generic.file", "")
.put("artifactory.generic.useSpecsChoice", "specs")
.put("bintray.packageName", "")
.put("artifactory.generic.includeEnvVars", "")
.put("artifactory.generic.artifactSpecs", "")
.put("artifactory.generic.password", "*************") //<------This is where the password is, it takes un-encrypted, plain text form
.put("bintray.mavenSync", "")
.put("artifactory.generic.jobConfiguration", "{****************}") //masked info
.put("baseUrl", "https://bamboo.********") //masked info
.put("artifactory.generic.envVarsIncludePatterns", "")
.put("artifactory.generic.resolvePattern", "")
.put("bintray.vcsUrl", "")
.put("builder.artifactoryGenericBuilder.deployableRepo", "AADEFrontEnd-ReleaseCandidates")
.put("bintray.gpgPassphrase", "/* SENSITIVE INFORMATION */")


Thanks in advance for any help to be provided.

It's responsibility of plugin developer to store data in encrypted form in DB and decrypt it in runtime. Contact plugin vendor to fix this issue:

Thanks for the direction Alex.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bamboo

Bamboo Data Center 8.1 is now available

G’day Bamboo customers, Bamboo DC 8.1 is now available with it the following features and programs: SAML 2.0, OpenID Connect, and Crowd SSO In order to help admins with a simplified user manage...

200 views 0 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you