What feature do you want to see added?

When using assume role the plugin makes all requests against the global STS endpoint in US East 1. We'd like to be able to use a regional endpoint such as sts.eu-west-1.amazonaws.com.

This does not appear to possible now given the available configuration options.

Upstream changes

No response

Per the AWS docs it should be possible to make this plugin use Secrets Manager in a different AWS account with nothing more than standard AWS environment variables.

However some people have struggled with this, so it's not as easy as it should be.

Dependencies

• Support GithubApp credentials: https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc

Feature Request

I can't see a way to plug in Github App credentials. Could this be feasibly supported?

These credentials are used in jobs like multibranchPipelineJob.

Jenkins and plugins versions report

What Operating System are you using (both controller, and any agents involved in the problem)?

Getting Filename too long for few files when doing repo clone

Reproduction steps

git clone

Expected Results

Should be able to clone

Actual Results

Cloning into 'C:\Users\xyz\GitHub\aws-secrets-manager-credentials-provider-plugin'...
remote: Enumerating objects: 1958, done.
remote: Counting objects: 100% (552/552), done.
remote: Compressing objects: 100% (308/308), done.
remote: Total 1958 (delta 245), reused 431 (delta 161), pack-reused 1406
Receiving objects: 100% (1958/1958), 1.24 MiB | 3.37 MiB/s, done.
Resolving deltas: 100% (802/802), done.
error: unable to create file src/test/resources/io/jenkins/plugins/credentials/secretsmanager/config/migrations/ChangeFiltersToListSecretsFiltersTest/io.jenkins.plugins.credentials.secretsmanager.config.PluginConfiguration.xml: Filename too long
error: unable to create file src/test/resources/io/jenkins/plugins/credentials/secretsmanager/config/migrations/MoveEndpointConfigurationToClientTest/io.jenkins.plugins.credentials.secretsmanager.config.PluginConfiguration.xml: Filename too long
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'

Anything else?

No response

The plugin's private AWS-backed credential implementations e.g. AwsStringCredentials are shown in the Add Credentials wizard. However the user cannot and should not create these from Jenkins; they are read-only types, backed by Secrets Manager.

Find a way to hide the private credential types, so they don't appear in the Add Credentials wizard.

Feature Request

Some of our secrets are stored in JSON format (example from aws cli):

{
  "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
  "Name": "MyTestDatabaseSecret",
  "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE",
  "SecretString": "{\n  \"username\":\"david\",\n  \"password\":\"BnQw&XDWgaEeT9XGTT29\"\n}\n",
  "VersionStages": [
    "AWSPREVIOUS"
  ],
  "CreatedDate": 1523477145.713
}

To access this type of secret from Jenkins, we currently duplicate them in the format supported by this plugin for username/password secrets ("raw" secret with the tags jenkins:credentials:type = usernamePassword and jenkins:credentials:username = david).

We would like to avoid this duplication, as it is currently a manual step for us and we need to keep the duplicated secrets manually in sync during password rotations.

Suggestion

Support a set of additional tags for the jenkins:credentials:type = usernamePassword type, which allows the plugin to read the correct JSON fields:
jenkins:credentials:usernameField = username
jenkins:credentials:passwordField = password
This would allow any JSON formatted secret and support any possible field names.

To clarify, the following JSON secret:

  "SecretString": "{\n  \"user\":\"david\",\n  \"pass\":\"BnQw&XDWgaEeT9XGTT29\"\n}\n",

would have the following tags attached:
jenkins:credentials:type = usernamePassword
jenkins:credentials:usernameField = user
jenkins:credentials:passwordField = pass

Alternative

A simpler, less flexible alternative would be to add a new credentials type specifically for the common JSON format with username and password fields. Possibly jenkins:credentials:type = jsonUsernamePassword.

What feature do you want to see added?

The Jenkins BrowserStack plugin requires the credential kind 'browserstack' in order to be selected in the Jenkins -> Configure System (browserstack) section.

Upstream changes

No response

Jenkins and plugins versions report

I've noticed that the plugin is using the IAM role of the EC2 instance where is running instead of use the IAM role of the pod (https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/).

All env variables looks good:

jenkins@jenkins-test-0:/$ env | grep -i aws
AWS_DEFAULT_REGION=eu-central-1
AWS_REGION=eu-central-1
AWS_ROLE_ARN=arn:aws:iam::1234567:role/test-jenkins-role
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
jenkins@jenkins-test-0:/$

But when Jenkins wants to get credentials it's not using the right role:

Jan 13, 2022 11:23:11 AM WARNING io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider getCredentials

Could not list credentials in Secrets Manager: message=[User: arn:aws:sts::1234567:assumed-role/eks-NodeInstanceRole-QWERTY/i-0c8134712934 is not authorized to perform: secretsmanager:ListSecrets because no identity-based policy allows the secretsmanager:ListSecrets action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: f3177c8b-e8a8-4cd8-8a0a-37bb0c5de346; Proxy: null)]

I've tried configuring the env variables manually in the pod and creating the .aws/credentials file but the result it's always the same.
Finally I confirmed the problem adding privileges to get secrets to the instance IAM role and everything worked without issues.

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins: 2.303.3
OS: Linux - 5.4.91-41.139.amzn2.x86_64

ace-editor:1.1
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:1.33
aws-java-sdk:1.12.131-302.vbef9650c6521
aws-java-sdk-cloudformation:1.12.131-302.vbef9650c6521
aws-java-sdk-codebuild:1.12.131-302.vbef9650c6521
aws-java-sdk-ec2:1.12.131-302.vbef9650c6521
aws-java-sdk-ecr:1.12.131-302.vbef9650c6521
aws-java-sdk-ecs:1.12.131-302.vbef9650c6521
aws-java-sdk-elasticbeanstalk:1.12.131-302.vbef9650c6521
aws-java-sdk-iam:1.12.131-302.vbef9650c6521
aws-java-sdk-logs:1.12.131-302.vbef9650c6521
aws-java-sdk-minimal:1.12.131-302.vbef9650c6521
aws-java-sdk-ssm:1.12.131-302.vbef9650c6521
aws-secrets-manager-credentials-provider:0.5.6
aws-secrets-manager-secret-source:0.0.1
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-4
bouncycastle-api:2.25
branch-api:2.7.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.17
command-launcher:1.2
configuration-as-code:1.54
credentials:2.6.1
credentials-binding:1.27.1
display-url-api:2.3.5
durable-task:493.v195aefbb0ff2
echarts-api:5.2.2-2
font-awesome-api:5.15.4-5
git:4.10.0
git-client:3.11.0
git-server:1.10
handlebars:3.0.8
jackson2-api:2.13.1-246.va8a9f3eaf46a
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jaxb:2.3.0
jdk-tool:1.0
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.11
kubernetes-client-api:5.11.2-182.v0f1cf4c5904e
kubernetes-credentials:0.9.0
lockable-resources:2.13
mailer:408.vd726a_1130320
matrix-project:1.20
metrics:4.0.2.8.1
momentjs:1.1.1
pipeline-build-step:2.15
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:427.va6441fa17010
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.20
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.20
plain-credentials:1.7
plugin-util-api:2.12.0
popper-api:1.16.1-2
popper2-api:2.11.2-1
scm-api:595.vd5a_df5eb_0e39
script-security:1131.v8b_b_5eda_c328e
snakeyaml-api:1.29.1
ssh-credentials:1.19
sshd:3.1.0
structs:308.v852b473a2b8c
thycotic-secret-server:1.0.0
trilead-api:1.0.13
variant:1.4
workflow-aggregator:2.6
workflow-api:1108.v57edf648f5d4
workflow-basic-steps:2.24
workflow-cps:2648.va9433432b33c
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1112.vda00e6febcc1
workflow-job:1145.v7f2433caa07f
workflow-multibranch:706.vd43c65dec013
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:813.vb_d7c3d2984a_0

Reproduction steps

Steps to reproduce:

1. Deploy Jenkins in kubernetes with grained iam roles
2. Install aws-secrets-manager-credentials-provider-plugin
3. Try to use it

Expected Results

Jenkins will get Jenkins credentials from AWS Secret Manager using the pod IAM role.

Actual Results

Jenkins uses the instance IAM role to get secrets.

Anything else?

No response

Jenkins and plugins versions report

Jenkins Version - 2.346.3
aws secret manger Plugin Version - 1.1.0

What Operating System are you using (both controller, and any agents involved in the problem)?

We are running jenkins as kubernetes pod using helm charts, below are chart details

repo name - https://charts.jenkins.io/
chart name - jenkins
version - 3.5.14

Reproduction steps

  awsCredentialsProvider:
    cache: true
    listSecrets:
      filters:
        - key: name
          values:
            %{ for s in secrets ~}
            - ${s}
            %{ endfor ~}

Above is the aws secret manager plugin config used to deploy jenkins as code.
You can assume we are looping through secrets, in the above config.

when the secrets list less than 10 or 10, it works without any issue. But when we provide secrets more than 10 then jenkins is not able to read any of the secret.

When we check the logs it says

Could not list credentials in Secrets Manager: message=[1 validation error detected: Value'[secret1, secrets2....' at 'filters.1.member.values' failed to satisfy constraint: Member must have length less than or equal to 10 (Service: AWSSecretsManager; Status Code: 400; Error Code: ValidationException; Request ID: 4674747477-abccoo-2433; Proxy: null)]

In documentation also I dont see a parameter to configure number of secrets.

Expected Results

We should have field by which we can configure number of secrets to read or all allowed secrets should be read.

Actual Results

We should have field by which we can configure number of secrets to read or all allowed secrets should be read.

Anything else?

No response

Version report

https://stackoverflow.com/questions/68287374/jenkins-startup-fails-on-aws-ecs-due-to-secrets-manager-credentials-provider-plu <- also posted this.

Jenkins and plugins versions report:

Jenkins 2.289.2 (jenkins/jenkins:lts-jdk11)
I don't specify a version number during the install so plugins.sh always installs the lates version.

• What Operating System are you using (both controller, and any agents involved in the problem)?

amazonLinux2

Reproduction steps

1. Create an AWS ECS Cluster Running amazonLinux2
2. Create a secret in AWS Secrets Manager
3. Using JCasC specify a secret to pull from AWS
4. Build a docker image (FROM jenkins/jenkins:lts-jdk11) and run '/usr/local/bin/install-plugins.sh' to install the secrets plugin, also copy the JcasC yaml file to the image.
5. Build and Upload the docker image to AWS ECR
6. Create a task that uses the built docker image
7. Deploy the task the cluster created in step 1

Results

Expected result:

Jenkins starts up, and can access the secrets.

Actual result:

java.lang.NullPointerException
	at io.jenkins.plugins.credentials.secretsmanager.AwsSecretSource.reveal(AwsSecretSource.java:35)
	at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$ad236547$1(SecretSourceResolver.java:141)
	at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
	at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$0(SecretSourceResolver.java:141)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1632)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543)
	at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lookup(SecretSourceResolver.java:143)
	at org.apache.commons.text.lookup.InterpolatorStringLookup.lookup(InterpolatorStringLookup.java:144)
	at org.apache.commons.text.StringSubstitutor.resolveVariable(StringSubstitutor.java:1067)
	at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1433)
	at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1308)
	at org.apache.commons.text.StringSubstitutor.replaceIn(StringSubstitutor.java:1019)
	at io.jenkins.plugins.casc.SecretSourceResolver.resolve(SecretSourceResolver.java:109)
	at io.jenkins.plugins.casc.impl.configurators.PrimitiveConfigurator.configure(PrimitiveConfigurator.java:44)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:159)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:76)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:82)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
	at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$2(HeteroDescribableConfigurator.java:86)
	at io.vavr.control.Option.map(Option.java:392)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
	at io.vavr.Tuple2.apply(Tuple2.java:238)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:55)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:151)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:76)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
	at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.check(DataBoundConfigurator.java:100)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:344)
	at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:287)
	at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:351)
	at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:287)
	at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$checkWith$8(ConfigurationAsCode.java:777)
	at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:713)
	at io.jenkins.plugins.casc.ConfigurationAsCode.checkWith(ConfigurationAsCode.java:777)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:762)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:638)
	at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:307)
	at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:299)
Caused: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
Caused: java.lang.Error
	at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:110)
	at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
	at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
	at jenkins.model.Jenkins$5.runTask(Jenkins.java:1129)
	at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
	at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused: org.jvnet.hudson.reactor.ReactorException
	at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:282)
	at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
	at jenkins.model.Jenkins.executeReactor(Jenkins.java:1162)
	at jenkins.model.Jenkins.<init>(Jenkins.java:960)
	at hudson.model.Hudson.<init>(Hudson.java:86)
	at hudson.model.Hudson.<init>(Hudson.java:82)
	at hudson.WebAppMain$3.run(WebAppMain.java:295)
Caused: hudson.util.HudsonFailedToLoad
	at hudson.WebAppMain$3.run(WebAppMain.java:312)

Feature Request

In my organization, every team has its own Jenkins instance running on K8S. This K8s and the instances are managed by an allocated team.
Since this is K8s we can't just give roles to the nodes (ec2 instances) because we need segregation between the teams.
They can set IAM role for a service account, but we don't want to go this path because it will be hard to maintain...
Instead, we want to give the teams API keys (functional users) and roles to access the AWS secrets manager.
The problem is they have access only to the Jenkins UI, and they can't edit the infrastructure. i.e., EnvVars, Java props, user profile authentication are out of the scope...
I would like to have the ability to set up my AWS API key+secret (or credentials id) and AWS role that will be used to pull the credentials...
p.s. Any workaround will be appreciated.

Jenkins and plugins versions report

Jenkins: 2.361.2.1
OS: Linux - 5.4.209-116.367.amzn2.x86_64
---
ace-editor:1.1
apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-cloudformation:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-codebuild:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ec2:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecr:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ecs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-elasticbeanstalk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-iam:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-logs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-minimal:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sns:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-sqs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ssm:1.12.246-349.v96b_b_f7eb_a_c3c
aws-secrets-manager-credentials-provider:1.2.0
blueocean-commons:1.25.8
bootstrap4-api:4.6.0-5
bootstrap5-api:5.2.0-1
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.5
cloudbees-administrative-monitors:1.0.5
cloudbees-analytics:1.42
cloudbees-assurance:2.276.0.23
cloudbees-blueocean-default-theme:0.8
cloudbees-folder:6.758.vfd75d09eea_a_1
cloudbees-folders-plus:3.29
cloudbees-github-reporting:1.31
cloudbees-groovy-view:1.14
cloudbees-jenkins-advisor:3.3.3
cloudbees-jsync-archiver:5.25
cloudbees-license:9.68
cloudbees-monitoring:2.15
cloudbees-nodes-plus:1.24
cloudbees-platform-common:1.18
cloudbees-platform-data:1.29
cloudbees-plugin-usage:2.17
cloudbees-ssh-slaves:2.19
cloudbees-support:3.30
cloudbees-template:4.58
cloudbees-uc-data-api:4.50
cloudbees-unified-ui:1.22
cloudbees-view-creation-filter:1.9
cloudbees-workflow-template:3.18
cloudbees-workflow-ui:2.8
command-launcher:84.v4a_97f2027398
credentials:1143.vb_e8b_b_ceee347
credentials-binding:523.vd859a_4b_122e6
display-url-api:2.3.6
durable-task:500.v8927d9fd99d8
echarts-api:5.3.3-1
email-ext:2.91
font-awesome-api:6.1.2-1
git:4.11.5
git-client:3.11.2
github:1.35.0
github-api:1.303-400.v35c2d8258028
github-branch-source:1695.v88de84e9f6b_9
gradle:1.39.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
infradna-backup:3.38.56
instance-identity:116.vf8f487400980
jackson2-api:2.13.3-285.vc03c0256d517
jakarta-activation-api:2.0.1-1
jakarta-mail-api:2.0.1-1
javax-activation-api:1.2.0-4
javax-mail-api:1.6.2-7
jaxb:2.3.6-1
jdk-tool:55.v1b_32b_6ca_f9ca
jjwt-api:0.11.5-77.v646c772fddb_0
jquery3-api:3.6.0-4
jsch:0.1.55.61.va_e9ee26616e7
junit:1119.1121.vc43d0fc45561
kube-agent-management:1.1.56
kubernetes:3697.v771155683e38
kubernetes-client-api:5.12.2-193.v26a_6078f65a_9
kubernetes-credentials:0.9.0
ldap:2.12
mailer:438.v02c7f0a_12fa_4
mapdb-api:1.0.9-28.vf251ce40855d
matrix-project:785.v06b_7f47b_c631
metrics:4.2.10-389.v93143621b_050
mina-sshd-api-common:2.9.1-44.v476733c11f82
mina-sshd-api-core:2.9.1-44.v476733c11f82
mina-sshd-api-scp:2.9.1-44.v476733c11f82
mina-sshd-api-sftp:2.9.1-44.v476733c11f82
momentjs:1.1.1
nectar-license:8.41
nectar-rbac:5.76
node-iterator-api:49.v58a_8b_35f8363
oauth-credentials:0.5
okhttp-api:4.9.3-108.v0feda04578cf
operations-center-agent:2.361.0.1
operations-center-client:2.361.0.1
operations-center-cloud:2.361.0.2
operations-center-context:2.361.0.2
pipeline-build-step:2.18
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:612.v84da_9c54906d
pipeline-input-step:449.v77f0e8b_845c4
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2114.v2654ca_721309
pipeline-model-definition:2.2114.v2654ca_721309
pipeline-model-extensions:2.2114.v2654ca_721309
pipeline-rest-api:2.24
pipeline-stage-step:296.v5f6908f017a_5
pipeline-stage-tags-metadata:2.2114.v2654ca_721309
pipeline-stage-view:2.24
plain-credentials:139.ved2b_9cf7587b
plugin-util-api:2.17.0
popper-api:1.16.1-3
popper2-api:2.11.6-1
scm-api:621.vda_a_b_055e58f7
script-security:1175.v4b_d517d6db_f0
snakeyaml-api:1.31-84.ve43da_fb_49d0b
ssh-credentials:305.v8f4381501156
sshd:3.249.v2dc2ea_416e33
structs:324.va_f5d6774f3a_d
support-core:1206.v14049fa_b_d860
token-macro:308.v4f2b_ed62b_b_16
trilead-api:2.72.v2a_3236754f73
unique-id:2.2.1
user-activity-monitoring:1.8
variant:59.vf075fe829ccb
workflow-aggregator:590.v6a_d052e5a_a_b_5
workflow-api:1192.v2d0deb_19d212
workflow-basic-steps:994.vd57e3ca_46d24
workflow-cps:2759.v87459c4eea_ca_
workflow-cps-checkpoint:2.13
workflow-durable-task-step:1199.v02b_9244f8064
workflow-job:1232.v5a_4c994312f1
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:838.va_3a_087b_4055b

What Operating System are you using (both controller, and any agents involved in the problem)?

Controller is running in a container on k8s, the host is Amazon Linux.

Reproduction steps

Create secrets for the plugin with the below types in AWS:

• SSH User Private Key
• Certificate

View secrets in Credentials menu inside of the controller.

Expected Results

All icons are displayed for all credentials types.

Actual Results

Icons for the below secret types are not displayed.

• SSH User Private Key
• Certificate

Anything else?

Technically we are not running plain Jenkins, our Jenkins controller was setup using CloudBees CI operations center.

This was also tested when these secret types are created locally in Jenkins controller and the icons display correctly, which suggests an issue with the plugin and not Jenkins.

Image of the problem:

Image of the differences in HTML (IMG vs SVN):

What feature do you want to see added?

We manage a Jenkins instance which handles hundreds of pipelines. These pipelines often use AWS credentials from the AWS Credentials plugin like the following example:

withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId : AWS_CREDS]]) {
    sh("make deploy_prod")  
 }

Or:

withCredentials([[$class: "AmazonWebServicesCredentialsBinding",
     accessKeyVariable: "AWS_ACCESS_KEY_ID",
     credentialsId    : FOOBAR_ACCESS_CREDS,
     secretKeyVariable: "AWS_SECRET_ACCESS_KEY"]]) {
         sh("""AWS_DEFAULT_REGION=${STACK_REGION} make promote-foobar""")
}

Storing these AWS credentials in AWS would make it easy to rotate them. It is likely possible to use the workarounds listed in https://plugins.jenkins.io/aws-secrets-manager-credentials-provider/#plugin-content-advanced-usage, but is not feasible for us because it would require the rewriting of hundreds of invocations in pipelines we do not own.

Upstream changes

No response

Jenkins and plugins versions report

Jenkins: 2.346.1
OS: Linux - 5.15.0-1015-aws
---
ace-editor:1.1
ant:475.vf34069fef73c
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.17.0
audit-trail:3.11
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-cloudformation:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-codebuild:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ec2:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ecr:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ecs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-elasticbeanstalk:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-iam:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-logs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-minimal:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-sns:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-sqs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ssm:1.12.246-349.v96b_b_f7eb_a_c3c
aws-secrets-manager-credentials-provider:1.2.0
bitbucket:223.vd12f2bca5430
bitbucket-build-status-notifier:1.4.2
blueocean:1.25.5
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.5
blueocean-commons:1.25.5
blueocean-config:1.25.5
blueocean-core-js:1.25.5
blueocean-dashboard:1.25.5
blueocean-display-url:2.4.1
blueocean-events:1.25.5
blueocean-git-pipeline:1.25.5
blueocean-github-pipeline:1.25.5
blueocean-i18n:1.25.5
blueocean-jwt:1.25.5
blueocean-personalization:1.25.5
blueocean-pipeline-api-impl:1.25.5
blueocean-pipeline-editor:1.25.5
blueocean-pipeline-scm-api:1.25.5
blueocean-rest:1.25.5
blueocean-rest-impl:1.25.5
blueocean-web:1.25.5
bootstrap4-api:4.6.0-5
bootstrap5-api:5.1.3-7
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.4
cloudbees-bitbucket-branch-source:784.v7fcdc7c670f6
cloudbees-folder:6.729.v2b_9d1a_74d673
command-launcher:84.v4a_97f2027398
commons-lang3-api:3.12.0.0
commons-text-api:1.9-9.v39a_53e2e0343
config-file-provider:3.11.1
configuration-as-code:1512.vb_79d418d5fc8
credentials:1139.veb_9579fca_33b_
credentials-binding:523.vd859a_4b_122e6
display-url-api:2.3.6
durable-task:496.va67c6f9eefa7
ec2:1.68
echarts-api:5.3.3-1
email-ext:2.91
external-monitor-job:191.v363d0d1efdf8
favorite:2.4.1
font-awesome-api:6.1.1-1
git:4.11.3
git-client:3.11.0
git-server:1.11
github:1.34.4
github-api:1.303-400.v35c2d8258028
github-branch-source:1677.v731f745ea_0cf
gradle:1.39.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.30
ivy:2.2
jackson2-api:2.13.3-285.vc03c0256d517
jakarta-activation-api:2.0.0-3
jakarta-mail-api:2.0.0-6
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-4
javax-mail-api:1.6.2-7
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-design-language:1.25.5
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.15-1
jquery3-api:3.6.0-4
jsch:0.1.55.2
junit:1119.1121.vc43d0fc45561
ldap:2.10
lockable-resources:2.16
mailer:435.v79ef3972b_5c7
matrix-auth:3.1.5
matrix-project:772.v494f19991984
maven-plugin:3.19
mercurial:2.16.2
mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1
mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1
momentjs:1.1.1
multiple-scms:0.8
node-iterator-api:1.5.1
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.8
pipeline-build-step:2.18
pipeline-github-lib:38.v445716ea_edda_
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:598.vcd66b_a_336510
pipeline-input-step:449.v77f0e8b_845c4
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2114.v2654ca_721309
pipeline-model-definition:2.2114.v2654ca_721309
pipeline-model-extensions:2.2114.v2654ca_721309
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2114.v2654ca_721309
pipeline-stage-view:2.24
plain-credentials:1.8
plugin-util-api:2.17.0
popper-api:1.16.1-3
popper2-api:2.11.5-2
pubsub-light:1.16
resource-disposer:0.19
saml:2.333.vc81e525974a_c
scm-api:616.ve67136f6c77d
script-security:1175.v4b_d517d6db_f0
slave-setup:1.10
snakeyaml-api:1.30.2-76.vc104f7ce9870
sse-gateway:1.25
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:295.vced876c18eb_4
ssh-slaves:1.821.vd834f8a_c390e
sshd:3.242.va_db_9da_b_26a_c3
structs:324.va_f5d6774f3a_d
throttle-concurrents:2.8
timestamper:1.18
token-macro:308.v4f2b_ed62b_b_16
trilead-api:1.67.vc3938a_35172f
variant:59.vf075fe829ccb
windows-slaves:1.8.1
workflow-aggregator:590.v6a_d052e5a_a_b_5
workflow-api:1188.v0016b_4f29881
workflow-basic-steps:980.v82219a_ed188e
workflow-cps:2759.v87459c4eea_ca_
workflow-cps-global-lib:588.v576c103a_ff86
workflow-durable-task-step:1199.v02b_9244f8064
workflow-job:1207.ve6191ff089f8
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:833.va_1c71061486b_
ws-cleanup:0.42

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins server runs on Ubuntu 20.04 LTS
Windows Agents run Windows Server 2019

Reproduction steps

Added SSH key as sshUserPrivateKey credential in AWS
Using the key in checkout() pipeline step

Expected Results

SSH key can be used to clone git repository on every agent

Actual Results

• git clone works fine on Linux agents
• git clone does not work Windows agents

 > git fetch --tags --force --progress -- [email protected]:<workspace>/<repo>.git +refs/heads/*:refs/remotes/origin/* # timeout=10
ERROR: Error cloning remote repo 'origin'
hudson.plugins.git.GitException: Command "git fetch --tags --force --progress -- [email protected]:<workspace>/<repo>.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: Load key "C:\\Jenkins\\workspace\\d_flichtenheld_core-jenkins-test\\<repo>@tmp\\jenkins-gitclient-ssh453049432504942179.key": invalid format
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2671)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2096)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:618)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:847)
	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:158)
	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:151)
	at hudson.remoting.UserRequest.perform(UserRequest.java:211)
	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
	at hudson.remoting.Request$2.run(Request.java:376)
	at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:126)
	at java.lang.Thread.run(Thread.java:750)

Anything else?

Key works on all agents when using the default credentials provider. Which is why I think this might be a bug in the plugin.

Not sure how to debug this further since the key is available as a temp file on the Windows agent only a very short time.

Hi @chriskilding and anyone here that can help.

I have a Jenkins running on EC2 installed with yum, and I attach this policy to the instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:kms:<region>:<account>:key/<KMS key ID>",
                "arn:aws:secretsmanager:<region>:<account>:secret:*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        }
    ]
}

However, no matter what I tried Jenkins just does not able to show any keys from secret manager.

I also tried to aws configure and add the token, but Jenkins user by default does not allow login or switch from root account, and I dont want to change that behavior.

Export in env and java variable is not an option (I actually tried them later still not working).

Can someone please help I have worked on this for 6 hours and it does not work, the docs are way too simple to understand what is the exact step. The configuration UI does not even have these configurations except cache and filter, I am really in a limble now.

Thanks.

Describe your use-case which is not covered by existing documentation.

Hi,

I am trying to set up username/password combination with aws secrets manager credential provider plugin. I have created the secret in AWS secrets manager.

Now I am trying to set it up with CasC. I am using https://github.com/jenkinsci/helm-charts to set it up. But I am having a hard time figuring it out. Should it be something like this:

  JCasC:
    defaultConfig: true
    configScripts: {}
    securityRealm: |-
      local:
        allowsSignup: false
        enableCaptcha: false
        users:
        - id: "${chart-admin-username}"
          name: "Jenkins Admin"
          password: "${chart-admin-password}"
    # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts
    authorizationStrategy: |-
      loggedInUsersCanDoAnything:
        allowAnonymousRead: false
    unclassified:
      awsCredentialsProvider:
      cache: (boolean)                 # optional
      client:                          # optional
        credentialsProvider: (object)  # optional
        endpointConfiguration:         # optional
          serviceEndpoint: (URL)
          signingRegion: (string)
      region: (string)               # optional
      listSecrets:                     # optional
        filters:
          - key: name
            values:
              - dockerhub
          - key: tag-key
            values:
              - jenkins:credentials:type
          - key: tag-value
            values:
              - usernamePassword
          - key: description
            values:
              - "dockerhub for Jenkins"
      transformations:           # optional
        description:
          hide: {}
        name:
          removePrefix:
            prefix: (string)

Do you think this information would be useful in documentation?

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

What feature do you want to see added?

Under advance usage within the readme it suggests that multi-field credentials support isn't available yet. For us, we use key value secrets within secrets manager (stored as json) and currently use the readJson method. While this is ok if our pipeline only needed 1-2 secrets we however use many. It seems impractical to use withCredentials and readJson on every step that requires secrets. Additionally making the credential string available as an env var seems to me like a fairly big security concern given that the secret could just be echod out with printenv. Is there an alternative I method for using this I am not seeing or is there room for an enhancement of this plugin? thanks.

Upstream changes

No response

What feature do you want to see added?

This plugin is only configurable at system config. In an environment where is the segregation, the ability to configure at a folder level so teams can configure the role used to lookup credentials, the filters etc and then storing the credentials within that folder would solve many issues. The vault plugin has the ability to configure (although its not storing) at folder level.

Upstream changes

No response

When the custom clients beta feature is enabled, credentials use the secret ARN as their ID rather than the secret name.

However when a job attempts to bind a credential that uses the secret ARN as its ID, the binding fails with an error along the lines of "could not find credential with the ID ''".

The same binding for the same credential works fine when the default client is used, because the credential uses the secret name instead.

Moved from JENKINS-64050

Jenkins and plugins versions report

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins controller 2.440.3.7 running on CentOS 7.8.2003 x86_64
AWS Secrets Manager Credentials Provider Version1.214.va_0a_d8268d068

Reproduction steps

Installed plugin: AWS Secrets Manager Credentials Provider Version1.214.va_0a_d8268d068

According to the docs, the default configuration should provide authentication to AWS via the instance profile if the server is within EC2 which it is.

The attached instance profile name is: role-deployment-automation-within-ec2

The policy on that profile is:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:331560656580:key/20c8ca2e-6073-4aa0-8e2d-65ea10f8a9bc"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:ListSecrets",
                "secretsmanager:DescribeSecret",
                "kms:ListAliases"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecrets",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "*"
        }
    ]
}

Expected Results

AWS Secrets appear in jenkins credential store

Actual Results

Repeated occurrances of:

May 30, 2024 8:42:40 AM WARNING io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider getCredentials
Could not list credentials in Secrets Manager: message=[Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: You must specify a value for roleArn and roleSessionName, com.amazonaws.auth.profile.ProfileCredentialsProvider@9279de4: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@22deced1: Unable to load credentials. Access key or secret key are null.]]

Anything else?

No response

Are you interested in contributing a fix?

No response

Jenkins and plugins versions report

when viewing the casc config, the filter value is reported as the object address.

 listSecrets:
      filters:
      - key: "name"
        values:
        - "io.jenkins.plugins.credentials.secretsmanager.config.Value@5cd22463"

What Operating System are you using (both controller, and any agents involved in the problem)?

linux

Reproduction steps

add a filter, view casc config

Expected Results

the value of the filter is displayed

Actual Results

object value displayed

Anything else?

No response

I'm helping a customer transition away from hardcoding secrets in their Jenkins declarative pipeline to instead using Secrets Manager. Jenkins runs in a datacenter but this company also uses AWS. I see in the docs that AWS access keys and secret access keys are a supported alternative to roles.

I don't have admin rights to Jenkins...I only have access to code and AWS, so my customer tried installing it and reported back to me the following:

I rolled back the secrets manager plugin thing. It has a requirement to have an IAM role, but our Jenkins is not in AWS and when Jenkins loaded after installing the plugin none of the credentials worked and our workers couldn't even connect and nothing could run. I rolled that back and Jenkins is healthy again, but we won't be able to use that plugin

I explained that the docs say that an IAM role isn't required.

My customer responded:

probably won't use the plugin. Can we just use standard Jenkins credentials instead?
this change brought all Jenkins down and I would have to deploy this off hours with no confidence it would get into working state and I don't see the benefit over standard jenkins credentials

So I wish that the docs for this plugin provided screenshots and/or code snippets for how to make it work without an IAM role (but with access keys and secret access keys instead). Since I don't have access in this account to see it myself and I don't have time to setup my own Jenkins instance, etc.

The setup portion of the docs only say, "Install and configure the plugin."

And the "Web UI" portion of the docs say:

You can set plugin configuration using the Web UI.
Go to Manage Jenkins > Configure System > AWS Secrets Manager Credentials Provider and change the settings.

But it does not give examples of what settings are available and how to configure them. Could those be added to the docs here?

Jenkins and plugins versions report

AWS Secrets Manager Credentials Provider
Version1.198.v839f082578db

What Operating System are you using (both controller, and any agents involved in the problem)?

jenkins/jenkins:alpine
v2.361.3 LTS

Reproduction steps

Following steps here to setup cross-account role for accessing credentials:

• https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/tree/master/docs/cross-account

I've created the role on the destination account, i've also made sure the trust relationship is correct - i.e that it allows the role used by the Jenkins controller to assume it (this is something we do commonly, so we are familiar with the setup).

We're also using JCaSc plugin, so basically same example as given in the docs:

  unclassified:
        credentialsProvider:
          assumeRole:
            roleArn: "arn:aws-us-gov:iam::************:role/jenkins-secrets-access"
            roleSessionName: "jenkins"

Expected Results

Should be able to see credentials and not any errors in jenkins log.

Actual Results

Logs contain:

Nov 15, 2022 2:04:49 PM WARNING io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider getCredentials
Could not list credentials in Secrets Manager: message=[The security token included in the request is invalid (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 2f9c6d9a-df3b-45e6-8df7-402f53a82f1f; Proxy: null)]

Anything else?

I've validated that there are no issues with the IAM role and assuming role, by creating a pipeline utilising 'withAWS'. As an example, this works fine, and it uses the same role assigned to the Jenkins controller to assume the same role...

        stage('quick test') {
            steps {
                withAWS(role: "arn:aws-us-gov:iam::***********:role/jenkins-secrets-access") {
                    sh "aws secretsmanager list-secrets"
                }
            }
        }

I also experimented with specifying different optional arguments in the plugin, like region, endpoint etc but have not managed to get it to work.

Finally, just to validate the plugin itself was working, I switched it to use the default role (instead of assuming a role), and it was successfully able to see and pull secrets.

Looks like the assume role part just isn't working

What feature do you want to see added?

Hello,
I am using this Jenkins plugin to sync secrets from secretsmanager. Sometimes we get an temporary error when trying to sync the secrets, such as:

WARNING
i.j.p.c.s.AwsCredentialsProvider#getCredentials: Could not list credentials in Secrets Manager: 
message=[Rate exceeded (Service: AWSSecretsManager; Status Code: 400; Error Code: ThrottlingException; Proxy: null)]

When this happens, it seems like the secrets that should come from secret manager are no longer accessible by our jobs. They fail with:

ERROR: Could not find credentials entry with ID `<secret>`

Would it be possible to keep the cached secrets during a failed refresh event (assuming the refresh failed due to a temporary issue). This way temporary issues would not impact our jobs.

Cheers

Upstream changes

No response

Are you interested in contributing this feature?

No response

Dependencies

None

Feature Request

Right now, aws secrets manager plugin doesn't support sshUserPrivateKey with passphrase which is supported by jenkins credentials.

with #43 , it break the plugin for us, we where using it without issues referencing ARNs in our pipelines (luckily we have it only in one so far), we revert to 0.5.2 to have that functionality back.

any chance you can re-introduce it ?

Describe your use-case which is not covered by existing documentation.

In version 0.5.6 we used the Credentials ID set as a variable (using CasC) but it doesn't work in the new version.

CasC example:

unclassified:
  metricsAccessKey:
    accessKeys:
      - canHealthCheck: false
        canMetrics: false
        canPing: true
        canThreadDump: false
        description: "Metrics Plugin"
        key: "${metrics-id}"                            // it doesn't work
        origins: "*"

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

What feature do you want to see added?

Create support for username-password passing without tag value limitations.
Now the DOMAIN\username syntax, common for NetBIOS notation is impossible to store in secret manager as the username is stored as a tag value pair, preventing the use of backslash (''). If username was stored as secrets value, that would not be a limitation.
We currently cannot use the plugin to store our Checkmarx username-password as we mandate it is AD authenticated (We now have to create the Jenkins native username/password to allow our username to be prefixed with the domainname\ )

Upstream changes

No response

Allow credentials to have a different ID that is different from the underlying secret's name.

For example, allow the Jenkins admin to remove a prefix from the secret name:

• When the admin specifies a credential prefix of "staging-"
• Then a secret called "staging-foo" will be shown as a credential with ID "foo"

Moved from JENKINS-63889

Jenkins and plugins versions report

Jenkins: 2.375.2
OS: Linux - 5.4.226-129.415.amzn2.x86_64
---
ace-editor:1.1
allure-jenkins-plugin:2.30.3
antisamy-markup-formatter:155.v795fb_8702324
apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.397-362.v050e9394cf8e
aws-java-sdk-cloudformation:1.12.397-362.v050e9394cf8e
aws-java-sdk-codebuild:1.12.397-362.v050e9394cf8e
aws-java-sdk-ec2:1.12.397-362.v050e9394cf8e
aws-java-sdk-ecr:1.12.397-362.v050e9394cf8e
aws-java-sdk-ecs:1.12.397-362.v050e9394cf8e
aws-java-sdk-efs:1.12.397-362.v050e9394cf8e
aws-java-sdk-elasticbeanstalk:1.12.397-362.v050e9394cf8e
aws-java-sdk-iam:1.12.397-362.v050e9394cf8e
aws-java-sdk-logs:1.12.397-362.v050e9394cf8e
aws-java-sdk-minimal:1.12.397-362.v050e9394cf8e
aws-java-sdk-sns:1.12.397-362.v050e9394cf8e
aws-java-sdk-sqs:1.12.397-362.v050e9394cf8e
aws-java-sdk-ssm:1.12.397-362.v050e9394cf8e
aws-parameter-store:1.2.2
aws-secrets-manager-credentials-provider:1.202.ve0ec0c17611c
badge:1.9.1
basic-branch-build-strategies:1.3.2
bitbucket:1.1.30
blueocean:1.25.2
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.1
blueocean-commons:1.27.1
blueocean-config:1.27.1
blueocean-core-js:1.27.1
blueocean-dashboard:1.27.1
blueocean-display-url:2.4.1
blueocean-events:1.27.1
blueocean-git-pipeline:1.27.1
blueocean-github-pipeline:1.27.1
blueocean-i18n:1.27.1
blueocean-jwt:1.27.1
blueocean-personalization:1.27.1
blueocean-pipeline-api-impl:1.27.1
blueocean-pipeline-editor:1.27.1
blueocean-pipeline-scm-api:1.27.1
blueocean-rest:1.27.1
blueocean-rest-impl:1.27.1
blueocean-web:1.27.1
bootstrap5-api:5.2.1-3
bouncycastle-api:2.27
branch-api:2.1071.v1a_188a_562481
build-with-parameters:1.6
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.8.1
cloudbees-bitbucket-branch-source:791.vb_eea_a_476405b
cloudbees-folder:6.800.v71307ca_b_986b
command-launcher:1.6
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-27.vb_fa_3896786a_7
conditional-buildstep:1.4.2
configuration-as-code:1569.vb_72405b_80249
credentials:1214.v1de940103927
credentials-binding:523.vd859a_4b_122e6
data-tables-api:1.12.1-4
display-url-api:2.3.7
durable-task:504.vb10d1ae5ba2f
echarts-api:5.4.0-1
favorite:2.4.1
font-awesome-api:6.2.0-3
generic-webhook-trigger:1.83
git:5.0.0
git-client:4.1.0
git-parameter:0.9.13
git-server:99.va_0826a_b_cdfa_d
github:1.36.1
github-api:1.303-400.v35c2d8258028
github-branch-source:1701.v00cc8184df93
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.31
http_request:1.12
instance-identity:142.v04572ca_5b_265
ionicons-api:31.v4757b_6987003
jackson2-api:2.14.2-319.v37853346a_229
jakarta-activation-api:2.0.1-2
jakarta-mail-api:2.0.1-2
javax-activation-api:1.2.0-5
javax-mail-api:1.6.2-5
jaxb:2.3.7-1
jdk-tool:1.5
jenkins-design-language:1.27.1
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.78.1
jquery:1.12.4-1
jquery3-api:3.6.1-2
jsch:0.1.55.61.va_e9ee26616e7
junit:1166.va_436e268e972
kubernetes:3842.v7ff395ed0cf3
kubernetes-client-api:6.3.1-206.v76d3b_6b_14db_b
kubernetes-credentials:0.10.0
lockable-resources:1122.v14c3d52cb_1b_1
mailer:448.v5b_97805e3767
matrix-auth:2.6.8
matrix-project:785.v06b_7f47b_c631
mercurial:1260.vdfb_723cdcc81
metrics:4.2.13-420.vea_2f17932dd6
mina-sshd-api-common:2.9.2-50.va_0e1f42659a_a
mina-sshd-api-core:2.9.2-50.va_0e1f42659a_a
octopusdeploy:3.1.7
okhttp-api:4.9.3-108.v0feda04578cf
parameterized-scheduler:0.9.2
parameterized-trigger:2.43.1
pipeline-aws:1.43
pipeline-build-step:2.18
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:629.vb_5627b_ee2104
pipeline-input-step:466.v6d0a_5df34f81
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2118.v31fd5b_9944b_5
pipeline-model-definition:2.2118.v31fd5b_9944b_5
pipeline-model-extensions:2.2118.v31fd5b_9944b_5
pipeline-rest-api:2.30
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5
pipeline-stage-view:2.30
pipeline-utility-steps:2.10.0
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:2.20.0
popper2-api:2.11.6-2
prometheus:2.0.10
promoted-builds:3.11
pubsub-light:1.17
purge-job-history:1.6
role-strategy:3.2.0
run-condition:1.5
saml:2.0.9
scm-api:631.v9143df5b_e4a_a
script-security:1229.v4880b_b_e905a_6
slack:2.49
snakeyaml-api:1.33-90.v80dcb_3814d35
sse-gateway:1.26
ssh-agent:1.23
ssh-credentials:305.v8f4381501156
sshd:3.242.va_db_9da_b_26a_c3
stashNotifier:1.20
structs:324.va_f5d6774f3a_d
terraform:1.0.10
text-finder:1.17
token-macro:321.vd7cc1f2a_52c8
trilead-api:2.84.v72119de229b_7
uno-choice:2.5.7
variant:59.vf075fe829ccb
workflow-aggregator:2.6
workflow-api:1208.v0cc7c6e0da_9e
workflow-basic-steps:994.vd57e3ca_46d24
workflow-cps:3606.v0b_d8b_e512dcf
workflow-cps-global-lib:609.vd95673f149b_b
workflow-durable-task-step:1223.v7f1a_98a_8863e
workflow-job:1254.v3f64639b_11dd
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c

What Operating System are you using (both controller, and any agents involved in the problem)?

[root@ip-10-128-1-192 /]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

Reproduction steps

Have jenkins pod running with attached role
kubectl describe pod jenkins-0 -n jenkins | grep AWS_ROLE AWS_ROLE_ARN: arn:aws:iam::000000000:role/service/eks/eks-cluster-jenkins-master-role
But when I try to get access to Secrets Manager it is using node-group role
2023-02-01 20:50:31.880+0000 [id=330] WARNING i.j.p.c.s.AwsCredentialsProvider#getCredentials: Could not list credentials in Secrets Manager: message=[User: arn:aws:sts::000000000:assumed-role/eks-node-group-20230123082959723000000001/i-0259469284873172d is not authorized to perform: secretsmanager:ListSecrets because no identity-based policy allows the secretsmanager:ListSecrets action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: f9393b18-b391-4ac7-bacd-8f9442fd7861; Proxy: null)]

Expected Results

Plugin is using jenkins-master role arn:aws:iam::000000000:role/service/eks/eks-cluster-jenkins-master-role

Actual Results

As node-group role don't have needed permissions plugin can't read secretes from Secrets Manager

Anything else?

No response

What feature do you want to see added?

The current implementation of transformations.name.removePrefix only supports a single prefix to be removed. This works as I would expect, but it is limiting. I have multiple "groups" of secrets in a single AWS account, i.e. jenkins/generic/<secret_name>, jenkins/test/<secret_name>. I would like to remove both prefixes, but I don't see a way to do so...
Any suggestions for how to work around this will be appreciated

Upstream changes

No response

(This is a port of 'fake PR #65' from @kuntalkumarbasu, who reported this issue before GitHub Issues were enabled for this repository. I'm moving this to an issue so that I don't merge the PR by accident.)

We already have an existing Vault setup to read secrets, we are planning to migrate it to AWS Secrets manager and use this plugin for that purpose. First dual-running the Vault and Secrets Manager providers, and then phasing out Vault.

We have installed the plugin and set up IAM access properly.

We use CASC for the configuration.

There are no secrets in Secrets Manager yet.

The vault key setup:

credentials:
  system:
    domainCredentials:
      - credentials:
          - string:
              description: 'description
              id: 'ID_TEST'
              scope: GLOBAL
              secret: "${secret_key}"

The problem is that when we are running this plugin from CASC via fresh install, it is trying to access an ARN similar to

arn:aws:secretsmanager:us-east-2:123456789:secret:ID_TEST-TAhdQc

ID_TEST is the key based on which a fictitious ARN is getting searched for, but it does not exist in Secrets Manager yet.

The plugin is throwing a generic error that the jenkins user is not authorized to perform: secretsmanager:GetSecretValue on that fictitious ARN, and jenkins is refusing to start.

Basically looks like the plugin is trying to find a ARN for every secret key, may be I am missing something is there any way to avoid this behaviour.

Hello, I am creating a blank issue because it doesn't seem like a bug, but rather user error (me!). I just don't know where to turn to since there aren't a lot of resources on this plugin, so here it goes.

I am using the following:

• Jenkins helm chart ver 3.3.9, deployed on EKS v1.16
• Jenkins version 2.277.3
• Plugin version v0.5.3
• and all other plugins are all up to date as I write this

My Jenkins pod is assuming an IAM role that has a policy in the IAM section of the README, and I tested in another pod with the same annotations/setup that it was able to assume the role and retrieve the secrets. However, as I click "test connection" in the Systems configuration page (I also triggered it using a test build), I am getting the message saying that the connection to localhost:4584 has been refused:

WARNING i.j.p.c.s.AwsCredentialsProvider#getCredentials: Could not list credentials in Secrets Manager: message=[Unable to execute HTTP request:
Connect to localhost:4584 [localhost/127.0.0.1] failed: Connection refused (Connection refused)]

It's my understanding that the plugin opens this port? However, I am not able to get any useful logs telling me where the error comes from. Would you mind giving me some tips on how to troubleshoot?

Thank you in advance.

What feature do you want to see added?

Support the AWS credential type from https://github.com/jenkinsci/aws-credentials-plugin so we can specify a role, MFA, etc.. Maybe these can be additional tags such as jenkins:credentials:assume_role, jenkins:credentials:mfa_arn, etc.

Upstream changes

No response

Summary

While setting up an Jenkins instance outside of AWS (locally), I am attempting to authenticate using the directions in the Authentication section. I've added the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables to the Docker container I am running Jenkins in.

Upon starting Jenkins and attempting to access credentials, I receive an error message:

Could not set up AWS Secrets Manager client. Reason: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.

After this, I tried a couple of methods to add the region:

• I attempted to set the AWS_DEFAULT_REGION environment variable, to no avail.
• I attempted to set the AWS_SIGNING_REGION environment variable, also to no avail.

I've considered setting up the service endpoint configuration, thinking that might help, but it is not clear to me what that value is, where to get it, or what it even looks like.

Please help me understand what I need to do to get this working locally! Thank you a ton!

Reference

https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/blob/master/docs/authentication/index.md

Description

• Within documentation I can see how to add different types of credentials but I don't see how to restrict a credential to a folder, is it possible to do that with this plugin ?

Describe your use-case which is not covered by existing documentation.

When click on the links in the "Content" part of jenkins documentation, i.e.,

the links lead to 404.

I assume all the links were moved to docs/ folder hence links are broken now.

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

Jenkins and plugins versions report

Jenkins: 2.303.3
OS: Linux - 4.9.0-12-amd64
Java: 11.0.13 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
allure-jenkins-plugin:2.30.3
analysis-model-api:10.8.0
ansicolor:1.0.1
ant:1.12
antisamy-markup-formatter:2.4
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-cloudformation:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-codebuild:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ec2:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecr:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-efs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-elasticbeanstalk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-iam:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-logs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-minimal:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sns:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sqs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ssm:1.12.287-357.vf82d85a_6eefd
aws-secrets-manager-credentials-provider:0.5.6
aws-secrets-manager-secret-source:0.0.1
blueocean:1.25.8
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.8
blueocean-commons:1.25.8
blueocean-config:1.25.8
blueocean-core-js:1.25.8
blueocean-dashboard:1.25.8
blueocean-display-url:2.4.1
blueocean-events:1.25.8
blueocean-git-pipeline:1.25.8
blueocean-github-pipeline:1.25.8
blueocean-i18n:1.25.8
blueocean-jwt:1.25.8
blueocean-personalization:1.25.8
blueocean-pipeline-api-impl:1.25.8
blueocean-pipeline-editor:1.25.8
blueocean-pipeline-scm-api:1.25.8
blueocean-rest:1.25.8
blueocean-rest-impl:1.25.8
blueocean-web:1.25.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-2
bouncycastle-api:2.25
branch-api:2.7.0
browserstack-integration:1.2.5
build-history-manager:1.4.0
build-keeper-plugin:1.3
build-name-setter:2.2.0
build-timestamp:1.0.3
build-with-parameters:1.6
built-on-column:1.1
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.2
cloudbees-bitbucket-branch-source:784.v7fcdc7c670f6
cloudbees-folder:6.16
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code:1512.vb_79d418d5fc8
credentials:2.6.1.1
credentials-binding:1.27.1
data-tables-api:1.11.3-4
display-url-api:2.3.5
docker-commons:1.21
docker-java-api:3.2.13-37.vf3411c9828b9
docker-plugin:1.2.10
docker-workflow:1.28
durable-task:501.ve5d4fc08b0be
echarts-api:5.2.2-1
email-ext:2.85
envinject:2.4.0
envinject-api:1.8
extended-choice-parameter:0.82
external-monitor-job:1.7
favorite:2.3.3.1
font-awesome-api:5.15.4-1
forensics-api:1.6.0
gatling:1.3.0
git:4.11.5
git-client:3.11.2
git-parameter:0.9.13
git-server:1.10
github:1.34.3.1
github-api:1.303-400.v35c2d8258028
github-branch-source:2.11.4
gradle:1.37.1
greenballs:1.15.1
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.28
http_request:1.12
jackson2-api:2.13.3-285.vc03c0256d517
jacoco:3.3.0
javadoc:1.6
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-design-language:1.25.8
jenkins-multijob-plugin:1.36
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.78.1
jobConfigHistory:2.28.1
jobcacher:264.vb_f4770b_79801
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.10
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:2.7
lockable-resources:2.12
mailer:414.vcc4c33714601
mask-passwords:3.0
matrix-auth:2.6.8
matrix-project:772.v494f19991984
maven-plugin:3.15.1
metrics:4.0.2.8
momentjs:1.1.1
multibranch-build-strategy-extension:1.0.10
okhttp-api:4.9.3-108.v0feda04578cf
pam-auth:1.6.1
parameterized-scheduler:1.0
parameterized-trigger:2.44
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-maven:3.10.0
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.8
plugin-util-api:2.16.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
pubsub-light:1.16
purge-build-queue-plugin:1.0
rebuild:1.32
resource-disposer:0.20
reverse-proxy-auth-plugin:1.7.1
run-condition:1.5
scm-api:608.vfa_f971c5a_a_e9
script-security:1138.v8e727069a_025
simple-theme-plugin:0.7
slack:2.48
snakeyaml-api:1.31-84.ve43da_fb_49d0b
sonar:2.14
sonar-quality-gates:1.3.1
sse-gateway:1.25
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.806.v2253cedd3295
sshd:3.1.0
structs:324.va_f5d6774f3a_d
timestamper:1.14
token-macro:308.v4f2b_ed62b_b_16
trilead-api:1.0.13
uno-choice:2.6.1
variant:1.4
warnings-ng:9.7.0
webhook-step:80.v6737a5fd857b
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:1153.vb_912c0e47fb_a_
workflow-basic-steps:2.24
workflow-cps:2633.v6baeedc13805
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:1145.v7f2433caa07f
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:813.vb_d7c3d2984a_0
ws-cleanup:0.43

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins running on Docker

Reproduction steps

1. Create an SSH Key credential "locally" on Jenkins, by manually creating a credential, and copy/pasting the Secret key and username. Jenkins > Manage Jenkins > Credential > Add credential
2. Using the Secret Manager plugin, load a previously uploaded SSH Key credential from AWS Secret Manager
3. Make sure both keys are added to Github and have the correct permissions on the repo being tested
4. Test with the pipelines below for a github repository:

pipeline {
    agent any

	environment {
        // The key below is manually entered in Jenkins
        CREDENTIALS_ID_LOCAL = "xx-yy-zz"
        
        // This one below is imported via AWS Secret Manager plugin
        CREDENTIALS_ID_AWS = "global/dashboard/jenkins/dahboard_jenkins_ssh_key_api_eng_user"//
    }

    stages {
        stage('this step works') {
            steps {
                sshagent(credentials: [CREDENTIALS_ID_LOCAL]) {
                    script {
                      sh(returnStdout: true, script: 'git fetch')
                    }
                }
            }
        }
        stage('this one does not') {
            steps {
                sshagent(credentials: [CREDENTIALS_ID_AWS]) {
                    script {
                      sh(returnStdout: true, script: 'git fetch')
                    }
                }
            }
        }
    }
}

Expected Results

Both steps should successfully execute the git fetch . The first stage works, but the second does not.

Actual Results

During the second step, we get the below message:

[ssh-agent] Using credentials EDITED-BUT -THIS-SHOWS-THE-CORRECT-SECRET-NAME
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-QHrN9yoaNjpv/agent.8848
SSH_AGENT_PID=8851
Running ssh-add (command line suppressed)
Error loading key "/var/jenkins_home/workspace/folder_location_edited@tmp/private_key_2322035249091043671.key": invalid format

Anything else?

No response

If the type tag is removed, then the credential should disappear from Jenkins when the cache is reloaded.

But what happens at the moment is...

Given I have a Secret Text credential stored in Secrets Manager (with the jenkins:credentials:type=string tag)
When I remove the type tag, and wait for the credentials cache to reload,
Then the Secret Text credential still remains in Jenkins.

(It only disappears after I initiate a delete to remove the secret altogether, regardless of whether that tag was present or later removed.)

Moved from JENKINS-61112

Reposted from https://issues.jenkins.io/browse/JENKINS-66588

I ran into JENKINS-62566 when trying to configure a SecretFile with the kubeconfig for a kubernetes cluster using the kubernetes plugin. This fails in an incredibly unobvious way, which took a lot of digging to troubleshoot.

Since the text of the exception is just the word null, the 'test config' button for the kubernetes cloud configuration page just displays the word 'null' in red text. This led me to believe the problem was in the kubernetes plugin's cloud component, but I couldn't figure out how it was throwing due to the exception not being logged at default log levels either. I originally assumed this was an issue with the kubeconfig file, or something wrong with cluster connectivity, until I'd ruled all that out successfully and created a new logger at ALL which showed the actual stacktrace in question, pointing to the AWS Secrets Manager credential provider plugin.

Finally, for ease of reproduction, I created a freestyle job in which I just used the file as a credential and saw the same stacktrace:

FATAL: null
java.lang.NullPointerException
	at io.jenkins.plugins.credentials.secretsmanager.factory.file.AwsFileCredentials.getContent(AwsFileCredentials.java:39)
	at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:54)
	at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:42)
	at org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding.bindSingle(AbstractOnDiskBinding.java:39)
	at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:150)
	at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:87)
	at hudson.model.Build$BuildExecution.doRun(Build.java:158)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:516)
	at hudson.model.Run.execute(Run.java:1889)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:100)
	at hudson.model.Executor.run(Executor.java:433)
Finished: FAILURE 

While the documentation shows a FileCredential created by using awscli with the -secret-binary flag, it is not made obvious in the documentation that a SM secret created by using the AWS web console or the -secret-string flag to awscli is unsupported, and if I hadn't stumbled across JENKINS-62566 I would have no idea what was going wrong without a deep dive into the plugin source.

JENKINS-62566 was closed because it wasn't a common problem, but given how hard to troubleshoot it can be when credentials are used in system configuration, I'd love to see either a fallback where it gets the SecretString value if SecretBytes is null, or at the least, a more instructive stacktrace.

I'd think the SecretBytesSupplier.get() method would want to return SecretBytes.fromString(str) on line 71 here instead of returning null

I can try to toss together a PR for this with some test coverage if it's a wanted change; I'd think it would be expected that the contents of the secret will be available to people regardless of whether it is a binary or string.

Allow Jenkins to look up credentials in AWS Parameter Store. (They will be stored as Secure String parameters
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-securestring.html).

Moved from JENKINS-60132

Rationale

• Storing credentials in Parameter Store can be cheaper than storing them in Secrets Manager.
• TODO anything else?

Questions

• Does this belong in its own project/plugin or is there opportunity for code reuse as part of aws-secrets-manager-credentials-provider-plugin?

Constraints

• Jenkins should be able to source credentials from both Secrets Manager and Parameter Store. (Using one should not rule out using the other.)
• If Jenkins encounters an error looking up secrets in one of the services, this should not impede lookups in the other. (An exception from a Secrets Manager API call should not break secret resolution in Parameter Store if PS is still functioning.)
• Tag naming conventions should be shared in both PS and SM. (Eg a username tag should be called jenkins:credentials:username in PS, just like it is in SM today.)

Comparison of services

The plugin should be able to retrieve credentials from multiple AWS accounts, and present them as one combined list of credentials.

For example by using IAM cross-account roles.

Use case: Separate AWS accounts for deployment environments

• I have a Jenkins in my environment-independent tools account.
• I have dev secrets in my dev account.
• I have production secrets in my production account.
• I want Jenkins to access secrets in the dev and production accounts.

Moved from https://issues.jenkins.io/browse/JENKINS-63182

We have our CBJ setup using EKS on aws, when we provide access aws secrects permission to the ec2 instance IAM role we are able to see the aws secrets credentials on all controllers/masters. Is there a way we can differentiate between masters using tags? Let us know if you need more details on this.

Hello Team,
In my organization we have started using the AWS Secrets Manager plugin to replace storing our secrets
in Jenkins. We have a job which performs a http request, the challenge I'm facing with this Plugin is the credentials can't be retrieved while making a httpRequest call containing the secret in the request and throws a serialization error. It works fine when we use credentials('secret-value-to-retrieve') but not from authentication('secret-value-to-retrieve') based on the below groovy dsl.

Appreciate any suggestions.

steps {

httpRequest {
url('apiEndpoint')
httpMode('POST')
authentication('secret-value-to-retrieve')
acceptType('APPLICATION_JSON')
contentType('APPLICATION_JSON')
requestBody('sample Body')
validResponseCodes('201,307')
consoleLogResponseBody(false)
}
}

Exception: FATAL: Unable to serialize jenkins.plugins.http_request.HttpRequestExecution@6d5ace62
java.io.NotSerializableException: io.jenkins.plugins.credentials.secretsmanager.factory.CredentialsFactory$SecretSupplier
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
at hudson.remoting.UserRequest._serialize(UserRequest.java:263)
at hudson.remoting.UserRequest.serialize(UserRequest.java:272)
Caused: java.io.IOException: Unable to serialize jenkins.plugins.http_request.HttpRequestExecution@6d5ace62
at hudson.remoting.UserRequest.serialize(UserRequest.java:274)
at hudson.remoting.UserRequest.(UserRequest.java:101)
at hudson.remoting.Channel.call(Channel.java:999)
at jenkins.plugins.http_request.HttpRequest.perform(HttpRequest.java:403)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:804)
at hudson.model.Build$BuildExecution.build(Build.java:197)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:514)
at hudson.model.Run.execute(Run.java:1907)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)

Jenkins and plugins versions report

Jenkins: 2.401.3
OS: Linux - 3.10.0-1160.90.1.el7.x86_64
Java: 11.0.21 - Red Hat, Inc. (OpenJDK 64-Bit Server VM)
---
ace-editor:1.1
active-directory:2.31
amazon-ecr:1.114.vfd22430621f5
amazon-ecs:1.48
analysis-model-api:11.10.0
anchore-container-scanner:1.0.25
ansicolor:1.0.2
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.2.1-1.1
artifactory:3.18.8
authentication-tokens:1.53.v1c90fd9191a_b_
authorize-project:1.7.1
aws-codepipeline:0.46
aws-credentials:218.v1b_e9466ec5da_
aws-java-sdk:1.12.529-406.vdeff15e5817d
aws-java-sdk-cloudformation:1.12.529-406.vdeff15e5817d
aws-java-sdk-codebuild:1.12.529-406.vdeff15e5817d
aws-java-sdk-ec2:1.12.529-406.vdeff15e5817d
aws-java-sdk-ecr:1.12.529-406.vdeff15e5817d
aws-java-sdk-ecs:1.12.529-406.vdeff15e5817d
aws-java-sdk-efs:1.12.529-406.vdeff15e5817d
aws-java-sdk-elasticbeanstalk:1.12.529-406.vdeff15e5817d
aws-java-sdk-iam:1.12.529-406.vdeff15e5817d
aws-java-sdk-kinesis:1.12.529-406.vdeff15e5817d
aws-java-sdk-logs:1.12.529-406.vdeff15e5817d
aws-java-sdk-minimal:1.12.529-406.vdeff15e5817d
aws-java-sdk-secretsmanager:1.12.529-406.vdeff15e5817d
aws-java-sdk-sns:1.12.529-406.vdeff15e5817d
aws-java-sdk-sqs:1.12.529-406.vdeff15e5817d
aws-java-sdk-ssm:1.12.529-406.vdeff15e5817d
aws-secrets-manager-credentials-provider:1.213.vca_3f37306fed
aws-secrets-manager-secret-source:1.72.v61781b_35c542
badge:1.9.1
blueocean:1.27.5
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.8
blueocean-commons:1.27.8
blueocean-config:1.27.8
blueocean-core-js:1.27.8
blueocean-dashboard:1.27.8
blueocean-display-url:2.4.2
blueocean-events:1.27.8
blueocean-git-pipeline:1.27.8
blueocean-github-pipeline:1.27.8
blueocean-i18n:1.27.8
blueocean-jira:1.27.8
blueocean-jwt:1.27.8
blueocean-personalization:1.27.8
blueocean-pipeline-api-impl:1.27.8
blueocean-pipeline-editor:1.27.8
blueocean-pipeline-scm-api:1.27.8
blueocean-rest:1.27.8
blueocean-rest-impl:1.27.8
blueocean-web:1.27.8
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.2-1
bouncycastle-api:2.29
branch-api:2.1128.v717130d4f816
build-name-setter:2.3.0
build-timeout:1.31
build-user-vars-plugin:1.9
build-with-parameters:76.v9382db_f78962
buildtriggerbadge:251.vdf6ef853f3f5
caffeine-api:3.1.8-133.v17b_1ff2e0599
categorized-view:1.12
checks-api:2.0.2
cisco-spark-notifier:1.1.1
cloud-stats:320.v96b_65297a_4b_b_
cloudbees-bitbucket-branch-source:832.v43175a_425ea_6
cloudbees-folder:6.848.ve3b_fd7839a_81
cobertura:1.17
code-coverage-api:4.9.0
command-launcher:106.vb_a_b_8f751309c
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1
conditional-buildstep:1.4.3
config-file-provider:959.vcff671a_4518b_
configuration-as-code:1700.v6f448841296e
convert-to-pipeline:1.0
copyartifact:714.v28a_34f8c563f
credentials:1293.vff276f713473
credentials-binding:636.v55f1275c7b_27
cucumber-reports:5.7.6
custom-markup-formatter:29.ve5d4614ca_d01
customized-build-message:1.1
dashboard-view:2.495.v07e81500c3f2
data-tables-api:1.13.6-5
display-url-api:2.200.vb_9327d658781
docker-build-publish:1.4.0
docker-commons:439.va_3cb_0a_6a_fb_29
docker-java-api:3.3.1-79.v20b_53427e041
docker-plugin:1.4
docker-workflow:563.vd5d2e5c4007f
durable-task:523.va_a_22cf15d5e0
ec2:2.0.7
echarts-api:5.4.0-6
email-ext:2.102
emailext-template:1.5
embeddable-build-status:412.v09da_db_1dee68
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:376.v2e02857547b_a_
extensible-choice-parameter:1.8.1
external-monitor-job:207.v98a_a_37a_85525
extra-columns:1.26
favorite:2.4.3
font-awesome-api:6.4.2-1
forensics-api:2.3.0
gatling:1.3.0
git:5.2.0
git-changelog:3.34
git-client:4.5.0
git-parameter:0.9.19
git-server:99.va_0826a_b_cdfa_d
github:1.37.3
github-api:1.316-451.v15738eef3414
github-branch-source:1741.va_3028eb_9fd21
gitlab-plugin:1.7.16
golang:1.4
google-login:1.7
gradle:2.8.2
groovy-label-assignment:1.2.0
groovy-postbuild:2.5
h2-api:11.1.4.199-12.v9f4244395f7a_
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.32
http_request:1.18
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
ivy:2.5
jackson2-api:2.15.3-366.vfe8d1fa_f8c87
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jdk-tool:73.vddf737284550
jenkins-design-language:1.27.8
jenkins-jira-issue-updater:1.18
jersey2-api:2.40-1
jira:3.10
jira-steps:2.0.165.v8846cf59f3db
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.84
jquery:1.12.4-1
jquery3-api:3.7.1-1
jsch:0.2.8-65.v052c39de79b_2
junit:1240.vf9529b_881428
kubernetes:4054.v2da_8e2794884
kubernetes-cli:1.12.0
kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_
kubernetes-credentials:0.11
ldap:694.vc02a_69c9787f
lockable-resources:1185.v0c528656ce04
mailer:463.vedf8358e006b_
markdown-formatter:95.v17a_965e696ee
mask-passwords:173.v6a_077a_291eb_5
matrix-auth:3.2.1
matrix-project:818.v7eb_e657db_924
maven-plugin:3.23
mercurial:1260.vdfb_723cdcc81
metrics:4.2.18-442.v02e107157925
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
node-iterator-api:49.v58a_8b_35f8363
nodejs:1.6.0
nodelabelparameter:1.12.0
notification:1.17
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pagerduty:0.7.1
pam-auth:1.10
parallel-test-executor:418.v24f9a_141d726
parameter-separator:87.va_1816d0b_39d1
parameterized-scheduler:1.2
parameterized-trigger:2.46
performance:928.vdea_0dca_55446
periodicbackup:2.0
pipeline-aws:1.43
pipeline-build-step:505.v5f0844d8d126
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:689.veec561a_dee13
pipeline-input-step:477.v339683a_8d55e
pipeline-maven:1345.va_0ef5530a_5ca_
pipeline-maven-api:1345.va_0ef5530a_5ca_
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
pipeline-stage-view:2.33
pipeline-utility-steps:2.16.0
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.6.0
pollscm:1.5
popper-api:1.16.1-3
popper2-api:2.11.6-2
prism-api:1.29.0-8
promoted-builds:892.vd6219fc0a_efb
publish-to-bitbucket:0.4
pubsub-light:1.17
rake:1.8.0
rebuild:320.v5a_0933a_e7d61
resource-disposer:0.23
run-condition:1.6
saml:4.429.v9a_781a_61f1da_
sbt:81.vb_82499046630
scm-api:676.v886669a_199a_a_
script-security:1275.v23895f409fb_d
simple-theme-plugin:160.vb_76454b_67900
slack:664.vc9a_90f8b_c24a_
snakeyaml-api:2.2-111.vc6598e30cc65
sonar:2.15
sse-gateway:1.26
ssh:2.6.1
ssh-agent:333.v878b_53c89511
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
ssh-steps:2.0.68.va_d21a_12a_6476
sshd:3.312.v1c601b_c83b_0e
stashNotifier:1.28
structs:325.vcb_307d2a_2782
swarm:3.40
throttle-concurrents:2.14
timestamper:1.26
token-macro:384.vf35b_f26814ec
trilead-api:2.84.v72119de229b_7
uno-choice:2.7
variant:59.vf075fe829ccb
warnings-ng:10.4.0
whitesource:21.1.2
workflow-aggregator:596.v8c21c963d92d
workflow-api:1283.v99c10937efcb_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3802.vd42b_fcf00b_a_c
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1326.ve643e00e9220
workflow-multibranch:756.v891d88f2cd46
workflow-remote-loader:1.6
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45
xvfb:1.2

What Operating System are you using (both controller, and any agents involved in the problem)?

Centos 7

Reproduction steps

Here is my simple pipeline to compare 2 secrets - the first is stored in System Credentials, the second in AWS Secrets:

pipeline {
agent any

environment{
localCred = credentials('localSecret')
awsCred = credentials('awsSecret')
}

stages {
stage('Compare Secrets') {
steps {
sh '''
echo "This is the directory of the secret file $localCred"
echo "This is the content of the file cat $localCred"
'''

    sh '''
        echo "This is the directory of the secret file $awsCred"
        echo "This is the content of the file `cat $awsCred`"
    '''
  }
}

}
}

Expected Results

I expected the values to be printed to the screen for comparison

Actual Results

Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 05ed4db4-fbf3-49d5-930c-a20197c59230
java.lang.NullPointerException
at io.jenkins.plugins.credentials.secretsmanager.factory.file.AwsFileCredentials.getContent(AwsFileCredentials.java:40)
at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:54)
at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:42)
at org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding.bindSingle(AbstractOnDiskBinding.java:38)
at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:149)
at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:132)
at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE

Anything else?

No response

Are you interested in contributing a fix?

No response

I have tried searching through the other open issues but I could not find anything on this so let me know if this has already been covered. I am setting up jenkins on ecs fargate and I want to use this plugin to get secrets from secrets manager. I notice in the documentation that jenkins must be granted these iam permissions.

"secretsmanager:GetSecretValue" on resource *
"secretsmanager:ListSecrets"

This causes a problem for me because that grants the container access to all secrets in that account. I understand that the plugin can only get secrets that are tagged appropriately but there is nothing to prevent a developer from using the aws cli or api in a jenkins pipeline to access any credentials in secrets manager. Why does it need GetSecretValue on all secrets?

When I tried limiting the iam access to just the secrets required the plugin would not work.

Is there any workaround for this or am I just missing something? Any help is appreciated.

Jenkins and plugins versions report

Jenkins: 2.303.1
OS: Linux - 5.10.104-linuxkit
---
ace-editor:1.1
apache-httpcomponents-client-4-api:4.5.13-1.0
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-cloudformation:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-codebuild:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-ec2:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-ecr:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-ecs:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-elasticbeanstalk:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-iam:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-logs:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-minimal:1.12.201-326.veb_6ce41104a_e
aws-java-sdk-ssm:1.12.201-326.veb_6ce41104a_e
aws-secrets-manager-credentials-provider:1.0.0
bootstrap4-api:4.6.0-5
bootstrap5-api:5.1.3-6
bouncycastle-api:2.20
branch-api:2.1046.v0ca_37783ecc5
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.4
cloudbees-folder:6.714.v79e858ef76a_2
command-launcher:1.2
config-file-provider:3.8.1
configuration-as-code:1.55
credentials:2.6.1.1
credentials-binding:1.27.1
display-url-api:2.3.5
durable-task:496.va67c6f9eefa7
echarts-api:5.3.2-1
font-awesome-api:6.0.0-1
git:4.4.1
git-client:3.11.0
git-server:1.11
golang:1.4
jackson2-api:2.13.2.20220328-281.v9ecc7a_5e834f
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.0
jquery3-api:3.6.0-3
jsch:0.1.55.2
junit:1.48
mailer:414.vcc4c33714601
matrix-project:1.18
nodejs:1.4.0
pipeline-aws:1.43
pipeline-graph-analysis:1.11
pipeline-input-step:448.v37cea_9a_10a_70
pipeline-model-api:1.9.3
pipeline-model-definition:1.7.2
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:1.9.3
pipeline-utility-steps:2.6.1
plain-credentials:1.8
plugin-util-api:2.16.0
popper-api:1.16.1-3
popper2-api:2.11.5-1
prisma-cloud-jenkins-plugin:21.08.525
scm-api:608.vfa_f971c5a_a_e9
script-security:1138.v8e727069a_025
slack:2.47
snakeyaml-api:1.30.1
sonar:2.14
splunk-devops:1.9.4
splunk-devops-extend:1.9.4
ssh-agent:1.23
ssh-credentials:277.v95c2fec1c047
sshd:3.228.v4c9f9e652c86
structs:318.va_f3ccb_729b_71
timestamper:1.13
token-macro:293.v283932a_0a_b_49
trilead-api:1.0.13
variant:1.4
workflow-api:1144.v61c3180fa_03f
workflow-basic-steps:2.24
workflow-cps:2660.vb_c0412dc4e6d
workflow-cps-global-lib:2.21.3
workflow-durable-task-step:2.40
workflow-job:1145.v7f2433caa07f
workflow-multibranch:712.vc169a_1387405
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:625.vd896b_f445a_f8

What Operating System are you using (both controller, and any agents involved in the problem)?

amazon linux 2

Reproduction steps

In an AWS secrets manager account that your Jenkins instance on AWS can access, create a secret with a name like my/secret/text and give it the correct tags to be read into Jenkins.

Expected Results

1. Going to https://<your-jenkins>/credentials and clicking on the secret should show it in the normal managed secrets view.

Actual Results

404 error

Anything else?

This appears to be a fairly basic URI-encoding problem, because if you replace the slashes in the URL with %2F the secret management URL is visible.

Jenkins and plugins versions report

controller:
  ...
  JCasC:
    defaultConfig: true
    configScripts: {}
    #  welcome-message: |
    #    jenkins:
    #      systemMessage: Welcome to our CI\CD server.  This Jenkins is configured and managed 'as code'.
    # Ignored if securityRealm is defined in controller.JCasC.configScripts and
    securityRealm: |-
      googleOAuth2:
        clientId: test_google_client_Id
        clientSecret: test_google_client_secret
        domain: ""

Hello team, here is my question.

I have a requirement on Jenkins, which is about moving the Github app credentials that are stored on Jenkins locally.
We are looking forward to moving it to AWS Secret Manager to maintain.
Do we have any best practices for now?
I don't find it in the doc currently

What feature do you want to see added?

Jenkins provides the users with the ability to add proxy settings.

In case that the proxy settings are set the plugin should use them for communicating with AWS.

Upstream changes

No response