Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42345

S3 credentials should be using jenkins credential storage instead of the system configuration

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • s3-plugin
    • None

      As far as I'm aware what you call S3 profile is actually an AWS API Access key. And since in the credentials, there is a type called AWS credentials, I think it would be much better to store the Access key ID and the Secret Access key there, since if you are using S3 there is a pretty high probability, you are using other AWS services too.

      Also, from a jenkins user perspective, if I want to store any kind of login/password pair, authentication credential or secret, I would do it in the "central" place which was created to do it, instead of putting it to the system config.

          [JENKINS-42345] S3 credentials should be using jenkins credential storage instead of the system configuration

          Alexander A added a comment -

          Hi

          > As far as I'm aware what you call S3 profile is actually an AWS API Access key.

          Not me, I'm just a maintainer - not a creator

          > And since in the credentials, there is a type called AWS credentials, I think it would be much better to store the Access key ID and the Secret Access key there

          It's tricky question, because Jenkins should be able to deserialise it (to save it on disk in config.xml). I don't think that it will work for AWSCredentials object.

          > since if you are using S3 there is a pretty high probability, you are using other AWS services too.

          Are you aware about this chain http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default ?

          We are using S3 and other services quite hard and in most cases we are using option "use AIM role". In this case S3 Plugin initialise S3 Client with empty login/password and this chain comes in game. And you can use "central" place (i.e. env variables or  ~/.aws/credentials, but don't forger that it must be done on agents as well as on master)

          If wrong name of this option ("use AMI role") confused you, please, create PR with better name

          Alexander A added a comment - Hi > As far as I'm aware what you call S3 profile is actually an AWS API Access key. Not me, I'm just a maintainer - not a creator > And since in the credentials, there is a type called AWS credentials, I think it would be much better to store the Access key ID and the Secret Access key there It's tricky question, because Jenkins should be able to deserialise it (to save it on disk in config.xml). I don't think that it will work for AWSCredentials object. > since if you are using S3 there is a pretty high probability, you are using other AWS services too. Are you aware about this chain http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default  ? We are using S3 and other services quite hard and in most cases we are using option "use AIM role". In this case S3 Plugin initialise S3 Client with empty login/password and this chain comes in game. And you can use "central" place (i.e. env variables or   ~/.aws/credentials , but don't forger that it must be done on agents as well as on master) If wrong name of this option ("use AMI role") confused you, please, create PR with better name

            jimilian Alexander A
            lorantonodi Lorant Onodi
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: