Comments (7)
Sigh, after fidling around with the keys in secret manager I can't reproduce the issue currently. And during one of the tests I overrode the original value that caused the problems so I can't go back to try different things.
What I found out is that secretsmanager seems also doing some internal newline conversions when using --secret-string. When uploading a file with \r\n line ending with --secret-string the secret actually comes back with \n line endings. I know that at some point yesterday I managed to create a secret with \r\n line endings (which was not the problem, BTW), however now I'm not even able to reproduce that.
All a very long way of saying that at this point I will take the fact that it seems to work now and will only investigate further if I manage to break it again.
Closing for now.
Thanks for the help and sorry for the noise.
from aws-secrets-manager-credentials-provider-plugin.
Is your Jenkins setup a distributed one (controller on one machine, agents that run the jobs on other machines), or all on one box?
from aws-secrets-manager-credentials-provider-plugin.
Controller is separate machine. All jobs run on distinct agents (both the Linux agents where the key works and the Windows agents where it doesn't)
from aws-secrets-manager-credentials-provider-plugin.
Hmm. I have previously heard of a bug in distributed setups where, when a plugin consumes a credential (e.g. the git plugin, or slack plugin, or whatever), and the plugin does not snapshot the credential prior to transfer, the secret value ends up null when the job tries to use it. This doesn't happen with the Jenkins pipeline (withCredentials
or credentials
macros), which do take care to snapshot it beforehand.
If you can use Jenkins Pipeline in your setup, could you try adding
node {
withCredentials([sshUserPrivateKey(credentialsId: '<your SSH key id>', keyFileVariable: 'KEY', usernameVariable: 'KEY_USR')]) {
// try to interact with $KEY or $KEY_USR some way, but you can't just print the value because this is masked in the build log
}
}
before the git clone (or maybe just create a new job for this), and see what the result is?
I'm thinking that if something substantial is wrong, the credential won't bind or its value will effectively be null/empty string
from aws-secrets-manager-credentials-provider-plugin.
Those tests work reasonably fine. File is written correctly to the disk. But in other tests I just found out that this probably has nothing to do with Windows. I tried to use the key in sshagent (on Linux nodes) and that failed as well:
[ssh-agent] Using credentials git (BitbucketSSH key)
[ssh-agent] Using credentials root (SCT SSH Key)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-zmXXY9EUZ1wA/agent.4558
SSH_AGENT_PID=4560
Running ssh-add (command line suppressed)
Error loading key "/home/ubuntu/workspace/d_flichtenheld_core-jenkins-test@tmp/private_key_8107316556344895340.key": invalid format
Will do more tests with different keys and credential providers. Definitely seems to be more complicated than "doesn't work on Windows".
from aws-secrets-manager-credentials-provider-plugin.
So, some results:
The testcases are sshagent() on Linux and checkout() on Windows.
withCredentials() works consistently. It always produces the original credential, with both providers.
The tests work fine with a PEM
style key, i.e. one that starts with -----BEGIN RSA PRIVATE KEY-----
or -----BEGIN EC PRIVATE KEY-----
.
But they do not work with a RFC4716
style key, i.e. one that starts with -----BEGIN OPENSSH PRIVATE KEY-----
.
But only when using the AWS credentials provider, with the default provider everything works fine regardless of key format. Maybe the default provider does some auto-magic key conversions?
So I have a suitable work-around now, just converting the keys to PEM format. But still would be interested to know where the actual problem comes from.
from aws-secrets-manager-credentials-provider-plugin.
The AWS SSH private key class looks like this:
public class AwsSshUserPrivateKey extends BaseStandardCredentials implements SSHUserPrivateKey {
private static final Secret NO_PASSPHRASE = Secret.fromString("");
private final Supplier<String> privateKey;
private final String username;
public AwsSshUserPrivateKey(String id, String description, Supplier<String> privateKey, String username) {
super(id, description);
this.privateKey = privateKey;
this.username = username;
}
@NonNull
@Deprecated
@Override
public String getPrivateKey() {
return privateKey.get();
}
@Override
public Secret getPassphrase() {
return NO_PASSPHRASE;
}
@NonNull
@Override
public List<String> getPrivateKeys() {
return Collections.singletonList(getPrivateKey());
}
@NonNull
@Override
public String getUsername() {
return username;
}
// ...
}
And the credentials factory creates it by:
String name;
String description;
String username;
<aws secrets manager client object> client;
new AwsSshUserPrivateKey(name, description, new StringSupplier(client, name), username)
And all the StringSupplier does is to get the secret-string from Secrets Manager.
So it's all pretty literal; whatever comes out of Secrets Manager, gets reflected in the SSH key object.
I'm wondering, however, whether encoding of the secret might make a difference. Perhaps one of the keys you tried had e.g. LF line breaks, while another had e.g. CRLF? And maybe this affects Windows?
from aws-secrets-manager-credentials-provider-plugin.
Related Issues (20)
- Can we pass googleoauth2 parameters in the helm chart with this plugin HOT 2
- when we use filters option and deploy jenkins with configuration as code, plugin is not able to read if secrets are more than 10 HOT 6
- Support AWS credentials HOT 2
- Icons don't display for "SSH User Private Key" & "Certificate" credentials types HOT 4
- Support for browerstack credential kind HOT 2
- Cross-account role access doesn't appear to work HOT 3
- Make this plugin configurable at folder level, not just centrally HOT 7
- AWS EKS 1.24 client is not respecting jenkins-master pod role HOT 5
- casc config reports improper filter value HOT 5
- reading json secrets HOT 2
- Create support for username-password passing without tag value limitations HOT 3
- Support the popular AmazonWebServicesCredentialsBinding credential types HOT 2
- SSH Keys not working with sshagent
- Ability to set STS endpoint
- The plugin does not pick up Jenkins' proxy settings HOT 4
- Content goes to 404 in Jenkins's documentation
- File Credentials stored in AWS cannot be validated HOT 3
- Don't remove credentials during temporary issues HOT 3
- Github app credentials integrations HOT 1
- "Could not list credentials in Secrets Manager" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-secrets-manager-credentials-provider-plugin.