How to use Access Tokens in your CI environment?

JFrog Support
2019-11-24 08:53


How to use Access Tokens in your CI environment?


One of the big advantages of Access Tokens, is the fact that you don’t have to create a user in Artifactory to use them. When creating a token, you can specify a username that does not exist, and Artifactory will create a transient user that will only exist as long as the token is valid.

This can be useful when granting access to different tools such as a CI server coordinating a build without having to manage fake user accounts, or you might want to grant an expirable token for a user external to your company for a limited access scope and time.

This method is also more secure since you can assign a new token for each "job" that the external tool runs.
For example, in order to create a token to my Jenkins I have a created a group called “CI”:

With Delete/Overwrite, Deploy/Cache annotate and read permissions:

Screen Shot 2017-09-28 at 12.03.28.png

This group will be used as a scope parameter to assign to the token with the permission targets specified for the group “CI” mentioned above. Notice that there isn't user in that group. The creation of a token for the CI (here we will use the Jenkins as an example) agent, will use the following:

$ curl -uadmin:password -XPOST http://localhost:8081/artifactory/api/security/token -d "username=jenkins" -d "scope=member-of-groups:CI"

Notice that I have created a token for a user named “jenkins” that does not exists in my Artifactory.
This produced the following Json file output:


 "scope" : "member-of-groups:CI api:*",

 "access_token" : "eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJTbmE0WloxZTlQenVFQk5hQWRuVV9UZ05aYVliRjMySURQb1VCQVdYSDY4In0.eyJzdWIiOiJqZnJ0QDAxYnYzbXN3cDR2NjNnMGp4bXIxMWEwZmI2XC91c2Vyc1wvamVua2lucyIsInNjcCI6Im1lbWJlci1vZi1ncm91cHM6Q0kgYXBpOioiLCJhdWQiOiJqZnJ0QDAxYnYzbXN3cDR2NjNnMGp4bXIxMWEwZmI2IiwiaXNzIjoiamZydEAwMWJ2M21zd3A0djYzZzBqeG1yMTFhMGZiNiIsImV4cCI6MTUwNjU4OTczMiwiaWF0IjoxNTA2NTg2MTMyLCJqdGkiOiIzZmYyYTZmNi1hZjVjLTRjNzItOWZlNy0yYzVlNWQ4YWFi**********",

 "expires_in" : 3600,

 "token_type" : "Bearer"


More information on the above endpoint, can be found here.
On the Jenkins server under the “Configure System”, scroll down to the “Artifactory” section and click on add deployer credentials in order to add a username and the token to your Jenkins server agent:

Don’t forget to change your credentials to use the toke's from the old credentials after adding.
If you are using the credentials plugin, just put the Username and the Password in the corresponding fields – as you can be seen at the below screenshots:


Screen Shot 2017-09-28 at 12.24.42.png

Your Jenkins will now be able to build and deploy projects to Artifactory using the generated Access Token.