Access credentials from AWS Secrets Manager in your Jenkins jobs.

• CI Build
• Issues

• Read-only view of Secrets Manager.
• Credential metadata caching (duration: 5 minutes).
• Jenkins Configuration As Code support.
• Cross-account Secrets Manager support with IAM roles.

Settings:

• Filters
  • Filter secrets by tag
• Endpoint Configuration
  • Service Endpoint
  • Signing Region

Install and configure the plugin.

Give Jenkins read access to Secrets Manager with an IAM policy.

Required permissions:

• secretsmanager:GetSecretValue (resource: *)
• secretsmanager:ListSecrets

Optional permissions:

• kms:Decrypt (if you use a customer-managed KMS key to encrypt the secret)

⚠️ We strongly recommend that you use an AWS machine authentication method (such as EC2 Instance Profiles or EKS Service Roles) to authenticate Jenkins with Secrets Manager.

1. Upload the secret to Secrets Manager as shown below (see also the AWS documentation).
2. Reference the secret by name in your Jenkins job.

A Secrets Manager secret acts as one of the following Jenkins credential types, depending on the data and metadata that you put in it.

A simple secret string.

aws secretsmanager create-secret --name 'newrelic-api-key' --secret-string 'abc123' --description 'Acme Corp Newrelic API key'

pipeline {
    environment {
        NEWRELIC_API_KEY = credentials('newrelic-api-key')
    }
    stages {
        stage('Foo') {
            echo 'Hello world'
        }
    }
}

node {
    withCredentials([string(credentialsId: 'newrelic-api-key', variable: 'NEWRELIC_API_KEY')]) {
        echo 'Hello world'
    }
}

A username and password pair.

aws secretsmanager create-secret --name 'artifactory' --secret-string 'supersecret' --tags 'Key=jenkins:credentials:username,Value=joe' --description 'Acme Corp Artifactory login'

pipeline {
    environment {
        // Creates variables ARTIFACTORY=joe:supersecret, ARTIFACTORY_USR=joe, ARTIFACTORY_PSW=supersecret
        ARTIFACTORY = credentials('artifactory')
    }
    stages {
        stage('Foo') {
            echo 'Hello world'
        }
    }
}

node {
    withCredentials([usernamePassword(credentialsId: 'artifactory', usernameVariable: 'ARTIFACTORY_USR', passwordVariable: 'ARTIFACTORY_PSW')]) {
        echo 'Hello world'
    }
}

A private key with a username.

The plugin supports the following private key formats and encoding schemes:

• Format
  • PEM
• Encoding
  • PKCS#1 (starts with -----BEGIN [ALGORITHM] PRIVATE KEY-----)
  • PKCS#8 (starts with -----BEGIN PRIVATE KEY-----)
  • OpenSSH (starts with -----BEGIN OPENSSH PRIVATE KEY-----)

ssh-keygen -t rsa -b 4096 -C '[email protected]' -f id_rsa
aws secretsmanager create-secret --name 'ssh-key' --secret-string 'file://id_rsa' --tags 'Key=jenkins:credentials:username,Value=joe' --description 'Acme Corp SSH key'

pipeline {
    environment {
        // Creates variables KEY=/temp/path/to/key, KEY_USR=joe
        KEY = credentials('ssh-key')
    }
    stages {
        stage('Foo') {
            echo 'Hello world'
        }
    }
}

node {
    withCredentials([sshUserPrivateKey(credentialsId: 'ssh-key', keyFileVariable: 'KEY', usernameVariable: 'KEY_USR')]) {
        echo 'Hello world'
    }
}

A client certificate in PKCS#12 format.

The plugin requires the .p12 file to be encrypted with a zero-length password, as demonstrated below.

openssl pkcs12 -export -in /path/to/cert.pem -inkey /path/to/key.pem -out certificate.p12 -passout pass:
aws secretsmanager create-secret --name 'code-signing-cert' --secret-binary 'fileb://certificate.p12' --description 'Acme Corp code signing certificate'

node {
    withCredentials([certificate(credentialsId: 'code-signing-cert', keystoreVariable: 'STORE_FILE')]) {
        echo 'Hello world'
    }
}

The plugin's default behavior requires no configuration.

You can set plugin configuration using the Web UI.

Go to Manage Jenkins > Configure System > AWS Secrets Manager Credentials Provider and change the settings.

You can set plugin configuration using Jenkins Configuration As Code.

unclassified:
  awsCredentialsProvider:
    filters:
      tag:
        key: product
        value: roadrunner
    endpointConfiguration:
      serviceEndpoint: http://localhost:4584
      signingRegion: us-east-1

All secrets must be uploaded via the AWS CLI or API. This is because the AWS Web console currently insists on wrapping your secret string in JSON.

• Docker
• Java
• Maven

In Maven:

mvn verify

In your IDE:

1. Generate translations: mvn localizer:generate. (This is a one-off task. You only need to re-run this if you change the translations, or if you clean the Maven target directory.)
2. Compile.
3. Start Moto: mvn docker:build docker:start.
4. Run tests.
5. Stop Moto: mvn docker:stop.