Our proposed deployment pattern is to use Jenkins to do automated deploys of proxies to Apigee within a DevOps process. There will potentially be multiple developers working simultaneously on proxies, with proxy deployments into non-production happening fairly regularly (including nightlies).

Obviously Jenkins will require a username and password of an Apigee user in order to deploy the bundles. In a multiple developer pattern, we're not sure whether we want a 'real' user to have to enter their Apigee credentials into a Jenkins job. And it breaks the concept of automation if manual intervention is required.

A suggestion has been made for us to create a DevOps role, which has limited permissions, e.g. only Add and Update proxes in a specific environment. Then we register a generic DevOps user in Apigee, assign it to the DevOps role, and then store the credentials of that user in Jenkins, using password masking.

Is this a common pattern? If not, what is the best practice for managing Apigee credentials in a multi-developer, automated deployment ecosystem?