Credentials inheritance and overrides are not respected when configuring or running pipelines even if it is well displayed at folder level

[vivienfricadelamadeus]

Jenkins and plugins versions report

Jenkins: 2.479.3
OS: Linux - 5.14.0-427.49.1.el9_4.x86_64
Java: 17.0.13 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
Office-365-Connector:5.0.0
Parameterized-Remote-Trigger:3.2.0
ace-editor:1.1
allure-jenkins-plugin:2.31.1
ansible-tower:0.16.0
ansicolor:1.0.5
ant:511.v0a_a_1a_334f41b_
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.4-136.v5a_21779c63f8
artifactory:4.0.8
asm-api:9.7.1-97.v4cc844130d97
async-http-client:1.9.40.0
authentication-tokens:1.119.v50285141b_7e1
azure-ad:531.v13107da_f2635
azure-credentials:341.v4881e9f4ffea_
azure-keyvault:280.v166053ddda_42
azure-sdk:174.va_89c1df897d2
basic-branch-build-strategies:190.v343a_ee70d920
blueocean-autofavorite:1.2.5
blueocean-commons:1.27.16
blueocean-config:1.27.16
blueocean-core-js:1.27.16
blueocean-dashboard:1.27.16
blueocean-display-url:2.4.3
blueocean-events:1.27.16
blueocean-git-pipeline:1.27.16
blueocean-github-pipeline:1.27.16
blueocean-i18n:1.27.16
blueocean-jira:1.27.16
blueocean-jwt:1.27.16
blueocean-personalization:1.27.16
blueocean-pipeline-api-impl:1.27.16
blueocean-pipeline-editor:1.27.16
blueocean-pipeline-scm-api:1.27.16
blueocean-rest:1.27.16
blueocean-rest-impl:1.27.16
blueocean-web:1.27.16
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.3-2
bouncycastle-api:2.30.1.80-256.vf98926042a_9b_
branch-api:2.1208.vf528356feca_4
build-failure-analyzer:2.5.3
build-failure-analyzer-extension:1.1.2
build-pipeline-plugin:2.0.2
build-timeout:1.33
build-with-parameters:76.v9382db_f78962
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.2
cloud-stats:377.vd8a_6c953e98e
cloudbees-bitbucket-branch-source:895.v15dc41668f03
cloudbees-folder:6.976.v4dc79fb_c458d
cobertura:1.17
code-coverage-api:4.99.0
command-launcher:115.vd8b_301cc15d0
commons-compress-api:1.26.1-2
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.13.0-153.v91dcd89e2a_22
conditional-buildstep:1.4.3
config-file-provider:980.v88956a_a_5d6a_d
configuration-as-code:1929.v036b_5a_e1f123
copyartifact:757.v05365583a_455
coverage:2.2.0
credentials:1389.vd7a_b_f5fa_50a_2
credentials-binding:687.v619cb_15e923f
cucumber-reports:5.8.3
dashboard-view:2.517.v776a_b_811a_b_4e
data-tables-api:2.1.8-1
display-url-api:2.209.v582ed814ff2f
docker-commons:445.v6b_646c962a_94
docker-java-api:3.4.0-94.v65ced49b_a_7d5
docker-plugin:1.7.0
docker-workflow:580.vc0c340686b_54
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.6.0-1
eddsa-api:0.3.0.1-19.vc432d923e5ee
email-ext:1844.v3ea_a_b_842374a_
embeddable-build-status:487.va_0ef04c898a_2
favorite:2.221.v19ca_666b_62f5
file-parameters:339.v4b_cc83e11455
font-awesome-api:6.7.2-1
forensics-api:3.0.0
git:5.6.0
git-client:6.1.0
git-server:126.v0d945d8d2b_39
github:1.40.0
github-api:1.321-478.vc9ce627ce001
github-branch-source:1807.v50351eb_7dd13
gradle:2.13.1
gson-api:2.12.1-113.v347686d6729f
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
hp-application-automation-tools-plugin:24.3
htmlpublisher:1.36
http_request:1.19
ibm-ucdeploy-build-steps:2.6.929921
icon-shim:3.0.0
instance-identity:203.v15e81a_1b_7a_38
ionicons-api:82.v0597178874e1
ivy:2.6
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-2
jakarta-mail-api:2.1.3-2
javadoc:280.v050b_5c849f69
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jenkins-design-language:1.27.16
jersey2-api:2.45-154.v4ded3dc34f81
jira:3.13
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
job-dsl:1.90
job-restrictions:0.8
joda-time-api:2.13.1-115.va_6b_5f8efb_1d8
jquery:1.12.4-3
jquery-detached:1.2.1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20250107-125.v28b_a_ffa_eb_f01
json-path-api:2.9.0-148.v22a_7ffe323ce
jsoup:1.19.1-36.v63b_c859911d0
junit:1307.vdd5b_2646279e
kubernetes:4295.v7fa_01b_309c95
kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2
kubernetes-credentials:190.v03c305394deb_
ldap:764.v4d0d3599e9c2
localization-support:1.2
lockable-resources:1327.ved786b_a_197e0
mailer:489.vd4b_25144138f
mask-passwords:173.v6a_077a_291eb_5
matrix-auth:3.2.3
matrix-project:840.v812f627cb_578
maven-plugin:3.24
mercurial:1260.vdfb_723cdcc81
metrics:4.2.21-458.vcf496cb_839e4
mina-sshd-api-common:2.14.0-143.v2b_362fc39576
mina-sshd-api-core:2.14.0-143.v2b_362fc39576
momentjs:1.1.1
oic-auth:4.444.vd4c54f157201
okhttp-api:4.11.0-183.va_87fc7a_89810
openshift-client:1.1.0.424.v829cb_ccf8798
openshift-login:1.1.0.248.v1908df5c4f5e
opentelemetry:3.1419.v3b_27ca_911066
opentelemetry-api:1.46.0.54.v83ff2ff43a_c3
parameterized-scheduler:277.v61a_4b_a_49a_c5c
parameterized-trigger:806.vf6fff3e28c3e
people-view:1.2
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-event-publisher-plugin:1.0.4
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:744.v5b_556ee7c253
pipeline-input-step:495.ve9c153f6067b_
pipeline-lib-data-collector:0.2.1
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2218.v56d0cda_37c72
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:2.2218.v56d0cda_37c72
pipeline-model-extensions:2.2218.v56d0cda_37c72
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2218.v56d0cda_37c72
pipeline-stage-view:2.34
pipeline-utility-steps:2.18.0
plain-credentials:183.va_de8f1dd5a_2b_
plugin-usage-plugin:4.6
plugin-util-api:6.0.0
popper-api:1.16.1-3
popper2-api:2.11.6-5
prism-api:1.30.0-1
prometheus:787.v52e8f47488fc
pubsub-light:1.18
rebuild:332.va_1ee476d8f6d
resource-disposer:0.24
robot:4.0.0
run-condition:1.7
scm-api:703.v72ff4b_259600
script-security:1369.v9b_98a_4e95b_2d
scriptler:376.v152edd95b_ca_f
servicenow-devops:4.1.0
sidebar-link:2.4.1
snakeyaml-api:2.3-123.v13484c65210a_
sonar:2.17.2
splunk-devops:1.10.1
splunk-devops-extend:1.10.1
sse-gateway:1.27
ssh-credentials:343.v884f71d78167
ssh-slaves:2.973.v0fa_8c0dea_f9f
ssh-steps:2.0.68.va_d21a_12a_6476
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
support-core:1553.v4dd20218b_cb_2
test-results-analyzer:0.4.1
thinBackup:2.1.1
timestamper:1.27
token-macro:444.v52de7e9c573d
trilead-api:2.147.vb_73cc728a_32e
uipath-automation-package:4.0.327.v39580c233fd7
uno-choice:2.8.4
validating-string-parameter:183.v3748e79b_9737
variant:60.v7290fc0eb_b_cd
windows-slaves:1.8.1
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1363.v03f731255494
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:4018.vf02e01888da_f
workflow-cps-global-lib:612.v55f2f80781ef
workflow-cps-global-lib-http:2.50.0
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1505.vea_4b_20a_4a_495
workflow-multibranch:800.v5f0a_a_660950e
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:686.v603d058a_e148
workflow-support:946.v2a_79d8a_4b_e14
ws-cleanup:0.47

What Operating System are you using (both controller, and any agents involved in the problem)?

All is OpenShift and docker image based. We don't think there is something related to the issue here.

Reproduction steps

1. Create a global credentials with id IZ_USER at Jenkins root level
2. Create an Azure keyvault global credentials with id IZ_USER
3. Create a folder inside Jenkins (here called vivien in screenshots)
4. Create a pipeline inside folder using Git and try to retrieve the right IZ_USER credential

Expected Results

According to inheritance, credentials at folder level should be resolved instead of the Azure global ones.
We can see in the folder credentials inheritance is properly displayed

Actual Results

The wrong credentials are displayed in pipeline definition and is wrongly used at pipeline execution

Anything else?

No response

Are you interested in contributing a fix?

Yes. What we're missing is how the credentials priorities are computed / resolved in interaction with Azure KeyVault plugin

[timja]

I don't know if the APIs are finegrained enough for that and it may depend on the consumer plugin.

Can you provide clear steps to reproduce with exactly whats in the pipeline please?

[vivienfricadelamadeus]

Hello @timja ,

to make sure to reproduce, you must declare 3 credentials with the same ID but with the 3 providers:

• one global in Jenkins at root level (put username "test-jenkins")
• one global with Azure plugin (at root level) (put username "test-azure")
• one global at folder level (put username "test-folder")

In theory, the one at folder level should take precedence over the global ones at root level. When checking at my 1st screenshot and looking at "stores from parent", we see that Folder > Azure > System, so the resolved one should be the folder one (this is what we expect).

Create a Pipeline into that folder with the following definition:

withCredentials([usernamePassword(credentialsId: 'IZ_USER', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
  echo USERNAME.substring(4)
}

You will see the output will be "azure" instead of "folder".

Thanks for your support, don't hesitate if you need more information