I'm trying to leverage the Jenkins credentials plugin to store sensitive data which I want to inject into Secrets within my Kubernetes cluster. I have a JenkinsFile which is used in my project to define the steps and I've added the following code to pull a username/password from a credential and pass to shell script to replace a placeholder in a file with the actual file:

stages {
    stage('Build') {
        steps {
           withCredentials([usernamePassword(credentialsId: 'creds-test', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME')]) {
               sh '''
                  echo $USERNAME
                  echo $PASSWORD

                  chmod +x secrets-replace.sh
                  ./secrets-replace.sh USERNAME_PLACEHOLDER $USERNAME
                  ./secrets-replace.sh PASSWORD_PLACEHOLDER $PASSWORD
                '''
              }
              echo 'Building...'
              sh './gradlew build --refresh-dependencies'
        }
    }
    ...
}

However whenever this runs all I ever get is the masked **** value back, even when I pass it to the shell script. Here is part of the build log:

Is there something I need to configure to get access to the unmasked value?