Comments (5)
fknittel
commented on June 27, 2024
Just noticed, that you document a work-around under advanced usage using a string secret type and readJSON. Unfortunately this approach does not work in places where we cannot add custom credential post-processing.
from aws-secrets-manager-credentials-provider-plugin.
chriskilding
commented on June 27, 2024
Which places are you unable to add custom credential post-processing for? I ask because our teams at work that use JSON values for credentials have been able to achieve what they want with the readJson snippet, from the readme.
from aws-secrets-manager-credentials-provider-plugin.
fknittel
commented on June 27, 2024
We use a few Jenkins plugins that we configure via CasC yaml, which need direct references to credentialIds. (One recent example which triggered me to create this issue: The influxdb plugin migrated from plain username/password to credentialId.)
We could probably replace all global plugin configuration with job-local configuration (using the readJson approach), so it's not impossible to do, but it feels like a work-around for a rather common case?
from aws-secrets-manager-credentials-provider-plugin.
chriskilding
commented on June 27, 2024
The reason this is unfortunately not possible is that the username field has to be supplied when credentials are listed, as well as when they are used in a job. The credentials list is populated with a ListSecrets call (the result is cached for 5 mins). This is to ensure that the performance is reasonable, and to avoid unnecessarily exposing secret values (which GetSecretValue would do). The only way to supply non-secret fields like the username in a way that ListSecrets can show them, is to store those fields as AWS tags on the secret.
I get where you're coming from - it would be nice if different tools would share secrets more easily - but alas the credentials API doesn't provide wiggle room here.
from aws-secrets-manager-credentials-provider-plugin.
fknittel
commented on June 27, 2024
@chriskilding Hm, thanks very much for your analysis. What do you think of the following compromise:
If all our json secrets additionally had a jenkins:credentials:username tag duplicating the username found in the username json field, we would still be able to use the same secret entry for multiple tools (and also use the regular password rotation lambdas). While the password value changes regularly, the username value is mostly a constant, so we don't really lose much from a maintenance stand-point.
The jenkins plugin would use the regular username tag for ListSecrets and only need to parse the json for GetSecretValue.
(The json mode could be activated by specifying some sort of jenkins:credentials:passwordFieldName tag.)
from aws-secrets-manager-credentials-provider-plugin.
Related Issues (20)
- Can we pass googleoauth2 parameters in the helm chart with this plugin HOT 2
- when we use filters option and deploy jenkins with configuration as code, plugin is not able to read if secrets are more than 10 HOT 6
- Support AWS credentials HOT 2
- Icons don't display for "SSH User Private Key" & "Certificate" credentials types HOT 4
- Support for browerstack credential kind HOT 2
- Cross-account role access doesn't appear to work HOT 3
- Make this plugin configurable at folder level, not just centrally HOT 7
- AWS EKS 1.24 client is not respecting jenkins-master pod role HOT 5
- casc config reports improper filter value HOT 5
- reading json secrets HOT 2
- Create support for username-password passing without tag value limitations HOT 3
- Support the popular AmazonWebServicesCredentialsBinding credential types HOT 2
- SSH Keys not working with sshagent
- Ability to set STS endpoint
- The plugin does not pick up Jenkins' proxy settings HOT 4
- Content goes to 404 in Jenkins's documentation
- File Credentials stored in AWS cannot be validated HOT 3
- Don't remove credentials during temporary issues HOT 3
- Github app credentials integrations HOT 1
- "Could not list credentials in Secrets Manager" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-secrets-manager-credentials-provider-plugin.