Managing credentials in multi-developer DevOps pattern

Our proposed deployment pattern is to use Jenkins to do automated deploys of proxies to Apigee within a DevOps process. There will potentially be multiple developers working simultaneously on proxies, with proxy deployments into non-production happening fairly regularly (including nightlies).

Obviously Jenkins will require a username and password of an Apigee user in order to deploy the bundles. In a multiple developer pattern, we’re not sure whether we want a ‘real’ user to have to enter their Apigee credentials into a Jenkins job. And it breaks the concept of automation if manual intervention is required.

A suggestion has been made for us to create a DevOps role, which has limited permissions, e.g. only Add and Update proxes in a specific environment. Then we register a generic DevOps user in Apigee, assign it to the DevOps role, and then store the credentials of that user in Jenkins, using password masking.

Is this a common pattern? If not, what is the best practice for managing Apigee credentials in a multi-developer, automated deployment ecosystem?

@John Ferguson : Create a user across all the environment. Let’s say user like ‘jenkins’. make sure this user has the admin power.

As admin user has the ability to do deploy/undeploy etc..

Configure this credentials in the property in your maven proxy project. conf property should be environmental wise.

Thanks Sachinda.

To clarify, having non-human user accounts registered in Apigee is accepted practice?

In terms of providing an email address for verification, I guess we’d just have to use an administrator’s email, or some sort of administrative group email account?