How to use Access tokens in your CI environment?

JFrog Support
2018-06-11 09:30

One of the big advantages of access tokens is the fact that you don’t have to create a user in Artifactory to use them. When creating a token, you can specify a username that does not exist, and Artifactory will create a transient user that will only exist as long as the token is valid.
This can be useful to in giving access to different tools such as a CI server coordinating a build without having to manage fake user accounts, or you might want to grant an expirable token for a user external to your company for a limited access scope and time.
This method is also more secure since you can assign a new token for each "job" that the external tool runs.


For example, in order to create a token to my Jenkins I have a created a group called “CI”:
With Delete/overwrite, Deploy/cache annotate and read permissions:

Screen Shot 2017-09-28 at 12.03.28.png

This group will be used as a scope parameter to assign to the token with the permission targets specified for the group “CI” mentioned above.
Notice that I did not put any user in that group.


The creation of a token for the CI(here we will use the Jenkins as an example) agent, will use the following end point:


Notice that I have created a token for a user named “jenkins” that does not exists in my Artifactory.


This produced the following Json file output:


 "scope" : "member-of-groups:CI api:*",
 "access_token" : "eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJTbmE0WloxZTlQenVFQk5hQWRuVV9UZ05aYVliRjMySURQb1VCQVdYSDY4In0.eyJzdWIiOiJqZnJ0QDAxYnYzbXN3cDR2NjNnMGp4bXIxMWEwZmI2XC91c2Vyc1wvamVua2lucyIsInNjcCI6Im1lbWJlci1vZi1ncm91cHM6Q0kgYXBpOioiLCJhdWQiOiJqZnJ0QDAxYnYzbXN3cDR2NjNnMGp4bXIxMWEwZmI2IiwiaXNzIjoiamZydEAwMWJ2M21zd3A0djYzZzBqeG1yMTFhMGZiNiIsImV4cCI6MTUwNjU4OTczMiwiaWF0IjoxNTA2NTg2MTMyLCJqdGkiOiIzZmYyYTZmNi1hZjVjLTRjNzItOWZlNy0yYzVlNWQ4YWFiNTUifQ.i81ETO9I1ArtkIqQVfXwSXhdk3_YwggM3C6uiYXNc0HjveMR08x2Lf_4-z4p-PBJMqCbOXGKTqG6BjSrsS5OAgU-sVhZVmgAcE-fiaZ4HYVSBOVQVw4XtdUbB63ozOSQduKJJR5187I3ZF9MVoc8_nQvYmkmf_J0hOE0XFvjy7nd-WkxR8dsH0rq4A3gtivmfdogVpj0BmaT683zieuO5PyF5Molbk30ke-rs33gwrgqhCK6r8mfUK5cG0wGpwq5FffSCvh413Nrq1uBHgaiTSDdL4XFEC3AQa3etwxfWvsas_XsLAbUrQ8a9mywciZFkgiAkBUce7sbb6nF6fqvBw",
 "expires_in" : 3600,
 "token_type" : "Bearer"


More information on the above endpoint you will be able to find here.


On the Jenkins server under the “Configure System”, scroll down to the “Artifactory” section and click on add deployer credentials in order to add a username and the token to your Jenkins server agent:


Don’t forget to change your Credentials to use the token credentials from the old credentials after adding.


If you are using the credentials plugin, just put the Username and the Password in the corresponding fields- as you will be able to see at the below screenshots:


Screen Shot 2017-09-28 at 12.24.42.png

Your Jenkins will now be able to build and deploy projects to Artifactory using the generated access token.