Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Bamboo Specs and masked variables

In Bamboo plans we are able to mask plan variables with "password" phrase in variable name. So nobody will be able to see the content.

We are planning to move to Bamboo Specs and therefor plan variables will be define in specs ( Java API ). How can we avoid exposing passwords in specs. 

I was hoping to enter passwords later on using UI but plans created by spec are not editable with UI.


3 answers

2 accepted

4 votes
Answer accepted
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2018

Use the following steps to get encrypted password

  1. Create a dummy plan in Bamboo manually through UI
  2. Add the password into the Plan Variable
  3. In the Plan Configuration view, click on Actions > View plan as Java Specs
  4. Look for the password variable - it will be shown in encrypted format
2 votes
Answer accepted
Alexey Chystoprudov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2018

You can use encrypted form of variable value. Try to create plan with "secret" variable and export it to Java Specs, "secret" variable will be encrypted. You can use this value in Specs code and store it at repository. If you want to avoid storing of variable in encrypted form at code, use Global variable 

Hi, @Alexey Chystoprudov@Foong

Great answer for masked variables.  However, I tried this solution for task type 'Artifactory Generic Deploy', it does not work. It seems that for this task type, it takes readable password string instead of encrypted form in 'Deployer Password' field.

As we are checking java spec code into source control, it is highly recommended that the readable password should NOT be part of code. So, do we have a way to let this task type take encrypted password? or, alternatively, is there a way to call any existing functions ( like what env var decrpytion does) to decrypt the password at run time? Or maybe there's other better way to handle this case?


'Artifactory Generic Deploy' Task view through bamboo portal UI


Code snippet corresponding to field 'Deployer password'

 new Stage("Approval and Trigger file upload")
.jobs(new Job("Approval And TF Artifactory Upload",
new BambooKey("*****")) //masked info
.tasks(new VcsCheckoutTask()
.description("Capture script from BB")
.checkoutItems(new CheckoutItem().defaultRepository()),
new ScriptTask()
.description("Approval Notification")
.finalTasks(new AnyTask(new AtlassianModule("org.jfrog.bamboo.bamboo-artifactory-plugin:artifactoryGenericTask"))
.description("deliver trigger file to qa artifactory")
.configuration(new MapBuilder()
.put("artifactory.generic.publishBuildInfo", "true")
.put("bintrayConfiguration", "")
.put("bintray.licenses", "")
.put("bintray.repository", "")
.put("artifactory.generic.username", "******") //masked info
.put("artifactory.generic.specSourceChoice", "jobConfiguration")
.put("artifactory.generic.resolveRepo", "")
.put("artifactory.generic.deployPattern", "")
.put("artifactory.generic.envVarsExcludePatterns", "*password*,*secret*,*security*,*key*")
.put("bintray.signMethod", "false")
.put("builder.artifactoryGenericBuilder.artifactoryServerId", "0")
.put("bintray.subject", "")
.put("artifactory.generic.file", "")
.put("artifactory.generic.useSpecsChoice", "specs")
.put("bintray.packageName", "")
.put("artifactory.generic.includeEnvVars", "")
.put("artifactory.generic.artifactSpecs", "")
.put("artifactory.generic.password", "*************") //<------This is where the password is, it takes un-encrypted, plain text form
.put("bintray.mavenSync", "")
.put("artifactory.generic.jobConfiguration", "{****************}") //masked info
.put("baseUrl", "https://bamboo.********") //masked info
.put("artifactory.generic.envVarsIncludePatterns", "")
.put("artifactory.generic.resolvePattern", "")
.put("bintray.vcsUrl", "")
.put("builder.artifactoryGenericBuilder.deployableRepo", "AADEFrontEnd-ReleaseCandidates")
.put("bintray.gpgPassphrase", "/* SENSITIVE INFORMATION */")


Thanks in advance for any help to be provided.

Alexey Chystoprudov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 13, 2018 • edited

It's responsibility of plugin developer to store data in encrypted form in DB and decrypt it in runtime. Contact plugin vendor to fix this issue:

Thanks for the direction Alex.

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events