Note: This is not an official Cloudsmith solution. This is a proof of concept that is not approved or supported by Cloudsmith.
This project shows how to:
- Set up Jenkins as an OpenID Connect (OIDC) provider
- Use Jenkins-generated OIDC tokens to access private packages on Cloudsmith
- Install Python packages from Cloudsmith using these tokens
- Set your Ngrok token:
export NGROK_AUTH=your_ngrok_token-
Adjust docker-compose.yaml with your own Cloudsmith org and service account.
-
Start the services:
docker-compose up- Find the provider URL in the Jenkins logs:
jenkins-1 | ####### OIDC Provider has been configured #######
jenkins-1 | Please configure cloudsmith with provider url https://4c48c7279d89.ngrok.app
-
Configure an OIDC provider on cloudsmith.io using the URL from the logs.
-
Run the
cloudsmith-usageJenkins job at http://localhost:8080 to see it:- Exchange the Jenkins JWT for a Cloudsmith token
- Successfully fetch pip packages
-
View the OIDC credential configuration at: http://localhost:8080/manage/credentials/store/system/domain/_/credential/oidc-token-cred/update
- Jenkins creates OIDC tokens using OpenID Connect Provider
- Jenkins injects the token as an environment variable
- The token is exchanged for a Cloudsmith temporary token
- This temporary token is used to download packages
- Creates OIDC tokens for Jenkins jobs
- Generates necessary OIDC configuration files
- Uses RS256 for token signing
- Makes credentials available to Jenkins jobs
- Hides sensitive values in build logs
- Go to "Manage Jenkins" → "Plugins" → "Available Plugins"
- Find and install:
- "OIDC Connect Provider"
- "Credentials Binding"
- Select "Restart Jenkins when installation is complete"
- Go to "Manage Jenkins" → "Credentials" → "System" → "Global credentials"
- Click "Add Credentials"
- Select "Kind" → "OpenID Connect ID Token"
- Fill in:
- Scope: "Global"
- ID: "oidc-token-cred"
- Audience: jenkins
- Description: "OIDC Token for Jenkins"
- Issuer URL: Your public URL
- Click "OK"
After creating the credential, Jenkins will show you two URLs where you can get the configuration files:
- OpenID Configuration URL:
http://your-jenkins-instance/manage/descriptorByName/io.jenkins.plugins.oidc_provider.IdTokenStringCredentials/wellKnownOpenidConfiguration?issuer=your-public-url
- JWKS URL:
http://your-jenkins-instance/manage/descriptorByName/io.jenkins.plugins.oidc_provider.IdTokenStringCredentials/jwks?id=oidc-token-cred&issuer=your-public-url
Requirements for hosting these files:
- Put the OpenID configuration at
/.well-known/openid-configuration - Put the JWKS at
/jwks - Host domain must match the issuer URL in Jenkins
- Click "New Item"
- Enter name and select "Freestyle project"
- In configuration:
- Under "Build Environment" → "Use secret text(s) or file(s)"
- Add → "Secret text"
- Variable: "OIDC_TOKEN"
- Credentials: Select your OIDC token
- Add build step "Shell":
# Get Cloudsmith token
response=$(curl -X POST -H "Content-Type: application/json" \
-d "{\"oidc_token\":$OIDC_TOKEN, \"service_slug\": $CLOUDSMITH_SERVICE_ACCOUNT_SLUG}" \
https://api.cloudsmith.io/openid/${CLOUDSMITH_ORG}/)
# Get token from response
token=$(echo "$response" | jq -r ".token")
# Install packages using token
python -m venv jenkins
source ./jenkins/bin/activate
PIP_INDEX_URL="https://token:$token@dl.cloudsmith.io/basic/${CLOUDSMITH_ORG}/${CLOUDSMITH_REPO}/python/simple/"
pip install package-name --index-url $PIP_INDEX_URL