Comments (8)
edhar-k
commented on July 28, 2024
I havent found for now how I can see secrets from another account. If its possible, could you share the docs?
By myself I tried to open access to secrets from another account and I was able to get them. But they was not listed from output of "aws secretsmanager list-secrets" and I thought that it is a reason why I can`t use secrets from another account
from aws-secrets-manager-credentials-provider-plugin.
thedevopsguyblog
commented on July 28, 2024
Some examples around cross-account usage would be good.
from aws-secrets-manager-credentials-provider-plugin.
chriskilding
commented on July 28, 2024
Here is one example of how to do it, if you're able to set profiles in ~/.aws/config: https://stackoverflow.com/a/52805686/1475135
It boils down to setting the role_arn in an AWS profile to the IAM role you want Jenkins to assume (presumably in the other account). And then telling Jenkins to use that AWS profile. As a result when it runs its Secrets Manager calls they should run against the other account.
However, at the last count, Moto - the AWS mock used to test this Jenkins plugin - does not support cross-account operations. So we can't write any automated tests in the plugin's test suite which would demonstrate this working.
from aws-secrets-manager-credentials-provider-plugin.
chriskilding
commented on July 28, 2024
Related to this, I aim to bring back a custom AWS client configuration feature in PR #43. This allows the STS AssumeRole strategy (among other strategies) to be configured for the plugin within Jenkins config (either in the Web UI or in CasC). This might help people who can't set these properties in the ~/.aws dotfiles.
from aws-secrets-manager-credentials-provider-plugin.
sun-mir
commented on July 28, 2024
I also faced this problem...
Use case:
DevOps team manages shared development infrastructure inside its own AWS account.
The dedicated Jenkins controllers for other dev teams are deployed in the DevOps account inside the EKS cluster.
Each Jenkins has configured IAM roles that allow certain operations in external AWS accounts owned by the dev team.
Such external operations include launching EC2 jenkins-nodes and the use of allowed resources, such as SecretsManager.
I've used this guide to configure the cross-account access to SM and can confirm that the Jenkins pod can access them
preview aws-cli
root@jenkins-app-XYZ:/# aws sts get-caller-identity
{
"UserId": "CENSORED:i-987654321",
"Account": "<ops-account>",
"Arn": "arn:aws:sts::<ops-account>:assumed-role/jenkins-eks-role/i-987654321"
}
root@jenkins-app-XYZ:/# aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:<region>:<dev-account>:secret:sasha-cred-test-OfRs6e --region <region>
{
"ARN": "arn:aws:secretsmanager:<region>:<dev-account>:secret:sasha-cred-test-OfRs6e",
"Name": "sasha-cred-test",
"VersionId": "be934e3e-fede-4da7-bf1b-9338b9546664",
"SecretString": "cred-test",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1637185003.849
}
...but as reported in #132 (comment) - such items aren't shown while trying to list them.
I was thinking if it's possible to add some options to the global plugin configuration, along with the Endpoint Configuration,
but the AWS CLI doesn't seem to support that 😢
I wish it could be more like ECR, where the URL also includes the Id: <registry-id>.dkr.ecr.<region>.amazonaws.com
from aws-secrets-manager-credentials-provider-plugin.
sun-mir
commented on July 28, 2024
A potential solution for this problem might be supporting AWS credentials.
Presumable JCasC config:
credentials:
system:
domainCredentials:
- credentials:
- aws:
id: "dev-account-access-secretsmanager"
iamRoleArn: "arn:aws:iam::<dev-account>:role/dev-account-access-secretsmanager"
scope: SYSTEM
unclassified:
awsCredentialsProvider:
endpointConfiguration:
signingRegion: "<region>"
credentialId: "dev-account-access-secretsmanager"
In this case, if Jenkins' IAM role allows assuming that external role, it would work like a charm!
from aws-secrets-manager-credentials-provider-plugin.
thecooldrop
commented on July 28, 2024
Hello I am facing this problem as well. In my case we have a Jenkins instance which is provisioned into a manager EKS cluster, which is provisioned into a separate AWS account. This Jenkins instance is then used to manage multiple clusters, and would need to access secrets from multiple AWS accounts to make them available to devs which own the clusters which are being managed by Jenkins.
Currently the plugin seems to pull only the secrets from the account to which its assumed role belongs
from aws-secrets-manager-credentials-provider-plugin.
chriskilding
commented on July 28, 2024
@thecooldrop and others - plugin v1.1.0 is now released, which allows you to specify different authentication strategies for the AWS client. One of the strategies is an IAM role. Give it a go and see if it helps.
Unfortunately you won't be able to access secrets from multiple accounts, but you should be able to access secrets in a different account to the one Jenkins runs in. That will hopefully be of use to some of you.
from aws-secrets-manager-credentials-provider-plugin.
Related Issues (20)
- Can we pass googleoauth2 parameters in the helm chart with this plugin HOT 2
- when we use filters option and deploy jenkins with configuration as code, plugin is not able to read if secrets are more than 10 HOT 6
- Support AWS credentials HOT 2
- Icons don't display for "SSH User Private Key" & "Certificate" credentials types HOT 4
- Support for browerstack credential kind HOT 2
- Cross-account role access doesn't appear to work HOT 3
- Make this plugin configurable at folder level, not just centrally HOT 7
- AWS EKS 1.24 client is not respecting jenkins-master pod role HOT 5
- casc config reports improper filter value HOT 5
- reading json secrets HOT 2
- Create support for username-password passing without tag value limitations HOT 3
- Support the popular AmazonWebServicesCredentialsBinding credential types HOT 2
- SSH Keys not working with sshagent
- Ability to set STS endpoint
- The plugin does not pick up Jenkins' proxy settings HOT 4
- Content goes to 404 in Jenkins's documentation
- File Credentials stored in AWS cannot be validated HOT 3
- Don't remove credentials during temporary issues HOT 3
- Github app credentials integrations HOT 1
- "Could not list credentials in Secrets Manager" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-secrets-manager-credentials-provider-plugin.