Comments (16)
Thank you,
I don't work there anymore and in the new place we don't use Jenkins.
I'll try to find someone relevant for testing this.
from aws-secrets-manager-credentials-provider-plugin.
Just to check I understand the surrounding context right...
- Your company has 1 big AWS account for all teams
- All teams' secrets are in that account's Secrets Manager
- Each team has a K8S-on-EC2 cluster (not EKS?) with Jenkins on it
from aws-secrets-manager-credentials-provider-plugin.
Also, are the teams able to edit resources in the AWS account besides the locked-down K8S clusters (i.e. can they put their own secrets in Secrets Manager), or does some central team or enterprise automation tooling edit the AWS resources for them?
from aws-secrets-manager-credentials-provider-plugin.
- Your company has 1 big AWS account for all teams:
- We have multiple AWS accounts, two of them are dedicated to Secrets manager (Dev and Prod)
- All teams' secrets are in that account's Secrets Manager:
- Yes, all the secrets are stored in two main aws accounts. There is a segregation between the teams via roles based on the secret's name. For example, team AAA has access only to secrets with the name "/aaa/*".
- Each team has a K8S-on-EC2 cluster (not EKS?) with Jenkins on it
- Each team has a namespace with Jenknis instance in a dedicated for Jenkins K8s. This K8s runs on ec2 nodes/instances (not EKS) in a separate account from the accounts used for secrets manager.
- are the teams able to edit resources in the AWS account
- The teams can edit their secrets and change their API keys in the secrets manager account. They can't change the resources of the Jenkins K8s account.
from aws-secrets-manager-credentials-provider-plugin.
Ok, the first thing to find out is whether you can use AWS profiles to let the Jenkins box hop into the alternate account for Secrets Manager access; if this can't be done then we'll have to deal with this first.
This plugin doesn't currently support multiple accounts for lack of a good credential namespacing solution. However I believe AWS lets you use a different account to the implicit one, by specifying an assumeRole ARN if you set up an AWS profile in ~/.aws/config and ~/.aws/credentials. Give that a go, and if that works we can look at improving the way config works.
from aws-secrets-manager-credentials-provider-plugin.
We can't / don't want the Jenkins infrastructure to be involved. Since ~/.aws/credentials are defined in the infrastructure, we can't do this...
A great solution for us would be an integration with the aws-credentials plugin. The user will set up aws-credentials and choose the relevant credentials in the plugin configuration. The plugin will use these credentials to pull the secrets from the secrets manager service...
The downside of this solution is the dependency on the aws-credentials plugin.
from aws-secrets-manager-credentials-provider-plugin.
I'm planning to restore a part of the beta clients
feature which should do what you need. This would expose a client:
option in the config that would allow you to change the following fields about the AWS SDK client, including the AWS credentialsProvider
which tells the SDK which strategy to authenticate with. The static
strategy would allow an access key pair to be specified inline within Jenkins config, rather than inherited from outside:
<plugin>:
cache: ...
client:
credentialsProvider:
static: # options: blank (default), static (specify key pair inline - shown here), profile (read from AWS profiles), assumeRole (IAM role ARNs)
accessKeyId: "foo"
secretAccessKey: "bar"
endpointConfiguration: # or leave blank for default
serviceEndpoint: ...
signingRegion: ...
region: "some-region" # or leave blank for default
listSecrets:
filters:
...
Let me know if this does what you need (I think it should?)
from aws-secrets-manager-credentials-provider-plugin.
This is pretty close to what we need...
Two things I would like to change:
- Providing the secretAccessKey as plain text in Jenkins configuration is a high-security risk.
I think a preferred (and the standard) way is to store the accessKeyId and secretAccessKey as credentials in Jenkins. - We need a combination of static and role. Since the credentials allow only to assume a role and not direct access to the secrets manager
credentialsProvider:
static: # options: blank (default), static (specify credentials ID - shown here), profile (read from AWS profiles), assumeRole (IAM role ARNs)
credentialsId: "AWSCredentials" // the id of the credentials in Jenkins
role: ... // the role to assume
If you don't have the time for these two requests, let me know... restore the clients, and I will contribute it.
from aws-secrets-manager-credentials-provider-plugin.
The secretAccessKey can be modelled as a Secret rather than a String in the Jenkins model. This ensures that when it's serialised to Jenkins config XML the value will not be stored in plaintext.
If the value is inserted through the Web UI, this is sufficient; the plaintext value won't be stored decrypted when it hits the disk.
If the value is inserted through CasC by pasting the value straight into the casc.yaml, then yes the decrypted secretAccessKey would be present on disk. However, CasC has a mechanism for hiding early-stage bootstrapping secrets like this: secrets interpolation. This is what I'd recommend in that use case.
The other approach you describe - feeding a credentials provider with a credential - has 2 problems:
- We still end up solving the problem with CasC secrets interpolation, but we incur a layer of indirection. If a provider is fed with a credential, we'd have to supply that credential somehow... through another provider. We'd likely put this credential in the default on-disk provider. When we configure that through Jenkins CasC, you would set up that on-disk credential elsewhere in the casc.yml file. But we wouldn't want the secret to be in plain text there either. And we'd have to solve that with... CasC secrets interpolation.
- If, later on, this plugin gains support for serving the same type of credential as it uses for bootstrapping, this could lead to an awkward chicken-and-egg situation where it tries to get the bootstrapping credential from itself, before it has initialised. That'll probably lead to a crash.
from aws-secrets-manager-credentials-provider-plugin.
These difficulties are to be expected though: solving the credential bootstrapping problem in Jenkins is hard! Even CasC secrets interpolation just kicks the problem one step further down the road; the secrets must still be injected from somewhere.
The only proper solution to this if you're running Jenkins inside AWS is... you guessed it, IAM roles with EC2 Instance Profiles (or the EKS equivalent), which allows the connection to Secrets Manager without hardcoding an access key on the box.
from aws-secrets-manager-credentials-provider-plugin.
I see your point regarding storing the secretAccessKey as credentials in Jenkins.
What do you think about combining the static credentials with the role?
from aws-secrets-manager-credentials-provider-plugin.
I was about to restore the old code when I realised there would be another problem. This plugin is both a CredentialsProvider and a SecretSource. The SecretSource implementation runs early in Jenkins initialisation; when CasC calls upon it to interpolate secret values in casc.yml. This means that if the plugin's access key pair is supplied in casc.yml, it will not be available when the SecretSource implementation needs it. Indeed this is why I had to invent the AWS_SERVICE_ENDPOINT
and AWS_SIGNING_REGION
environment variables - so that the endpoint configuration could be set during the integration tests.
So I'm not sure we can do what you're after :/
from aws-secrets-manager-credentials-provider-plugin.
@DimaNevelev If you're still watching this, a few things have changed...
First, the SecretSource implementation was extracted into its own plugin.
Second, a new Client configuration feature has been added to the Credentials Provider, which allows you to configure the AWS SDK authentication strategy.
The strategies currently available are
- Default (the AWS SDK provider chain)
- Profile (specify an AWS profile name)
- Instance Role (specify an IAM instance role ARN)
I'm hoping the Profile option might do what you want, but if not, this mechanism would allow the addition of an access key pair strategy (which would let you set a key pair inline in Jenkins configuration). That would be a simple case of another pull request to add the strategy.
Let me know what you think.
from aws-secrets-manager-credentials-provider-plugin.
@DimaNevelev I have now created the feature you asked for in #236
Would you be able to try out the experimental feature (plugin .hpi file is linked below) and let me know whether it works for you?
from aws-secrets-manager-credentials-provider-plugin.
Hi @DimaNevelev , did you manage to find someone who can test this?
from aws-secrets-manager-credentials-provider-plugin.
Sorry, everyone I know left.
from aws-secrets-manager-credentials-provider-plugin.
Related Issues (20)
- Can we pass googleoauth2 parameters in the helm chart with this plugin HOT 2
- when we use filters option and deploy jenkins with configuration as code, plugin is not able to read if secrets are more than 10 HOT 6
- Support AWS credentials HOT 2
- Icons don't display for "SSH User Private Key" & "Certificate" credentials types HOT 4
- Support for browerstack credential kind HOT 2
- Cross-account role access doesn't appear to work HOT 3
- Make this plugin configurable at folder level, not just centrally HOT 7
- AWS EKS 1.24 client is not respecting jenkins-master pod role HOT 5
- casc config reports improper filter value HOT 5
- reading json secrets HOT 2
- Create support for username-password passing without tag value limitations HOT 3
- Support the popular AmazonWebServicesCredentialsBinding credential types HOT 2
- SSH Keys not working with sshagent
- Ability to set STS endpoint
- The plugin does not pick up Jenkins' proxy settings HOT 4
- Content goes to 404 in Jenkins's documentation
- File Credentials stored in AWS cannot be validated HOT 3
- Don't remove credentials during temporary issues HOT 3
- Github app credentials integrations HOT 1
- "Could not list credentials in Secrets Manager" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-secrets-manager-credentials-provider-plugin.