Access credentials from AWS Secrets Manager in your Jenkins jobs.
- Read-only view of Secrets Manager.
- Credential metadata caching (duration: 5 minutes).
- Jenkins Configuration As Code support.
- Cross-account Secrets Manager support with IAM roles.
Settings:
- Filters
- Filter secrets by tag
- Endpoint Configuration
- Service Endpoint
- Signing Region
Install and configure the plugin.
Give Jenkins read access to Secrets Manager with an IAM policy.
Required permissions:
secretsmanager:GetSecretValue
(resource:*
)secretsmanager:ListSecrets
Optional permissions:
kms:Decrypt
(if you use a customer-managed KMS key to encrypt the secret)
- Upload the secret to Secrets Manager as shown below (see also the AWS documentation).
- Reference the secret by name in your Jenkins job.
A Secrets Manager secret acts as one of the following Jenkins credential types, depending on the data and metadata that you put in it.
A simple secret string.
aws secretsmanager create-secret --name 'newrelic-api-key' --secret-string 'abc123' --description 'Acme Corp Newrelic API key'
pipeline {
environment {
NEWRELIC_API_KEY = credentials('newrelic-api-key')
}
stages {
stage('Foo') {
echo 'Hello world'
}
}
}
node {
withCredentials([string(credentialsId: 'newrelic-api-key', variable: 'NEWRELIC_API_KEY')]) {
echo 'Hello world'
}
}
A username and password pair.
aws secretsmanager create-secret --name 'artifactory' --secret-string 'supersecret' --tags 'Key=jenkins:credentials:username,Value=joe' --description 'Acme Corp Artifactory login'
pipeline {
environment {
// Creates variables ARTIFACTORY=joe:supersecret, ARTIFACTORY_USR=joe, ARTIFACTORY_PSW=supersecret
ARTIFACTORY = credentials('artifactory')
}
stages {
stage('Foo') {
echo 'Hello world'
}
}
}
node {
withCredentials([usernamePassword(credentialsId: 'artifactory', usernameVariable: 'ARTIFACTORY_USR', passwordVariable: 'ARTIFACTORY_PSW')]) {
echo 'Hello world'
}
}
A private key with a username.
The plugin supports the following private key formats and encoding schemes:
- Format
- PEM
- Encoding
- PKCS#1 (starts with
-----BEGIN [ALGORITHM] PRIVATE KEY-----
) - PKCS#8 (starts with
-----BEGIN PRIVATE KEY-----
) - OpenSSH (starts with
-----BEGIN OPENSSH PRIVATE KEY-----
)
- PKCS#1 (starts with
ssh-keygen -t rsa -b 4096 -C '[email protected]' -f id_rsa
aws secretsmanager create-secret --name 'ssh-key' --secret-string 'file://id_rsa' --tags 'Key=jenkins:credentials:username,Value=joe' --description 'Acme Corp SSH key'
pipeline {
environment {
// Creates variables KEY=/temp/path/to/key, KEY_USR=joe
KEY = credentials('ssh-key')
}
stages {
stage('Foo') {
echo 'Hello world'
}
}
}
node {
withCredentials([sshUserPrivateKey(credentialsId: 'ssh-key', keyFileVariable: 'KEY', usernameVariable: 'KEY_USR')]) {
echo 'Hello world'
}
}
A client certificate in PKCS#12 format.
The plugin requires the .p12 file to be encrypted with a zero-length password, as demonstrated below.
openssl pkcs12 -export -in /path/to/cert.pem -inkey /path/to/key.pem -out certificate.p12 -passout pass:
aws secretsmanager create-secret --name 'code-signing-cert' --secret-binary 'fileb://certificate.p12' --description 'Acme Corp code signing certificate'
node {
withCredentials([certificate(credentialsId: 'code-signing-cert', keystoreVariable: 'STORE_FILE')]) {
echo 'Hello world'
}
}
The plugin's default behavior requires no configuration.
You can set plugin configuration using the Web UI.
Go to Manage Jenkins
> Configure System
> AWS Secrets Manager Credentials Provider
and change the settings.
You can set plugin configuration using Jenkins Configuration As Code.
unclassified:
awsCredentialsProvider:
filters:
tag:
key: product
value: roadrunner
endpointConfiguration:
serviceEndpoint: http://localhost:4584
signingRegion: us-east-1
All secrets must be uploaded via the AWS CLI or API. This is because the AWS Web console currently insists on wrapping your secret string in JSON.
- Docker
- Java
- Maven
In Maven:
mvn verify
In your IDE:
- Generate translations:
mvn localizer:generate
. (This is a one-off task. You only need to re-run this if you change the translations, or if you clean the Maven target directory.) - Compile.
- Start Moto:
mvn docker:build docker:start
. - Run tests.
- Stop Moto:
mvn docker:stop
.