-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
It would be really nice if we could use the Vault tokens not just during the build process but also to get authentication tokens for the SCM stage. That way we would only have to provide jenkins with the ability to get tokens from Vault and can store all our other tokens in Vault which provides the ability to have tokens expire etc. etc.
- is related to
-
JENKINS-60440 Invalid git username/password on Jenkins agent when using Vault Username-Password Credential with '@' in username
-
- Open
-
[JENKINS-39374] Add ability to get SCM authentication tokens from Vault
Thomas Koren
added a comment - I wrapped a groovy script in a job to sync credentials periodically from vault to jenkins' credential store. The access token is read from vault-plugin config. From there on you can use vault credentials wherever you need them in jenkins.
I think about turning that into a plugin, as soon as I find some time for that. Until then, you might try the script approach yoursefl. Jenkins is very open when it comes to groovy scripting 
Thomas Koren
added a comment - I wrapped a groovy script in a job to sync credentials periodically from vault to jenkins' credential store. The access token is read from vault-plugin config. From there on you can use vault credentials wherever you need them in jenkins.
I think about turning that into a plugin, as soon as I find some time for that. Until then, you might try the script approach yoursefl. Jenkins is very open when it comes to groovy scripting tkoren Have you had a chance to either make the script available or to turn the script into a PR? We're starting to look at making this work now but I have no idea where to even start
Richard Vodden
added a comment - I'd be really interested in helping with this. Exposing the vault secrets via a CredentialsProvider will make for a much more flexible plugin. I'll knock together a PR unless someone shouts.
Richard Vodden
added a comment - I'd be really interested in helping with this. Exposing the vault secrets via a CredentialsProvider will make for a much more flexible plugin. I'll knock together a PR unless someone shouts. rvodden if you do let me know if you need a tester. I would love to have this! Removing the credentials from Jenkins will go a long way towards making jenkins easier to deploy from a script / configuration management system.
Nick Sanborn
added a comment - Is there any partially completed work on this? Is there any active work being done right now? We can help if needed.
We'd like to use this to auth the github organization plugin, the kubernetes plugin, etc. and would allow us to have a solid security posture on jenkins. If this were a plugin that exposed a credential provider (not a sync to the jenkins credential store) then the only credential we would need in the jenkins credential store is the one used by the vault plugin. In the case of an out of band verified auth method such as jwt based ones like gcp auth or k8s auth the value of the credential is not sensitive. This way no actual sensitive information is stored in Jenkins but rather just exposed to jobs ephemerally via this vault plugin.
Nick Sanborn
added a comment - Is there any partially completed work on this? Is there any active work being done right now? We can help if needed.
We'd like to use this to auth the github organization plugin, the kubernetes plugin, etc. and would allow us to have a solid security posture on jenkins. If this were a plugin that exposed a credential provider (not a sync to the jenkins credential store) then the only credential we would need in the jenkins credential store is the one used by the vault plugin. In the case of an out of band verified auth method such as jwt based ones like gcp auth or k8s auth the value of the credential is not sensitive. This way no actual sensitive information is stored in Jenkins but rather just exposed to jobs ephemerally via this vault plugin. sanbornick I haven't seen anything. Above rvodden said he was going to put together a PR but I haven't seen one yet. I would love to have the ability to use Vault to handle all the credentials. That would reduce the attack surface for all the connected services
Richard Vodden
added a comment - I did have a look at this, and then real life got in the way. Let me have a look at how far I got and at the very least push a branch up or something.
Richard Vodden
added a comment - I did have a look at this, and then real life got in the way. Let me have a look at how far I got and at the very least push a branch up or something. Richard Vodden
made changes -
| Assignee | Original: Peter Tierno [ ptierno ] | New: Richard Vodden [ rvodden ] |
I really like this idea. I think you would need to implement a custom CredentialsProvider that reads the credentials from vault. The interesting question is where this CredentialsProvider would get his Token / AppRole Credentials from - and how this could be scoped to different Folders / Jobs.