Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56927

Request: EC2 plugin should use SSH keys via credentials plugin

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • ec2-plugin
    • None
    • EC2 plugin: 1.4.2
      Jenkins: 2.150.3

      The Ec2 plugin currently requires that you insert SSH private key manually, so it shows up in the UI, which is a security concern. The EC2 plugin should support the use of the credentials plugin so the SSH private key does not need to be exposed to viewers of the "Configure System" page.

          [JENKINS-56927] Request: EC2 plugin should use SSH keys via credentials plugin

          thoulen any thoughts on this?

          Kinnaird McQuade added a comment - thoulen any thoughts on this?

          I will put in the backlog for the 1.45, if you have time to provide a pull request for that I will be happy to review it

          FABRIZIO MANFREDI added a comment - I will put in the backlog for the 1.45, if you have time to provide a pull request for that I will be happy to review it

          Also if you want to use JCasC it will force you to enter the ssh key in plaintext in JCasC yaml

          Jakub Bochenski added a comment - Also if you want to use JCasC it will force you to enter the ssh key in plaintext in JCasC yaml

          Kinnaird McQuade added a comment - - edited

          thoulen - any updates on this? This is a pretty serious security issue.

          jbochenski - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach:

          • Terraform generates the SSH key
          • JCasC is in a templates/jcasc.yml file
          • Terraform uses the `template_file` data source to inject parameters into the template file
          • Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions
          • aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket.
          • We used [my-bloody-jenkins](https://github.com/odavid/my-bloody-jenkins) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch.
            • Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads.

          It's a sound workaround, but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP.

          Kinnaird McQuade added a comment - - edited thoulen  - any updates on this? This is a pretty serious security issue. jbochenski  - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach: Terraform generates the SSH key JCasC is in a templates/jcasc.yml file Terraform uses the `template_file` data source to inject parameters into the template file Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket. We used [my-bloody-jenkins] ( https://github.com/odavid/my-bloody-jenkins ) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch. Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads. It's a sound workaround, but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP.

          I don't have the expertise to make this kind of modifications, unfortunately. Also don't have the time to do it.

          Kinnaird McQuade added a comment - I don't have the expertise to make this kind of modifications, unfortunately. Also don't have the time to do it.

          kinnairdm thanks for sharing your workaround. I think you'll agree that having credentials plugin support would make be better than jumping all those hoops?

          Jakub Bochenski added a comment - kinnairdm thanks for sharing your workaround. I think you'll agree that having credentials plugin support would make be better than jumping all those hoops?

          With the new release the private key is no longer visible. For the integration with secret manager i don't have an ETA

          FABRIZIO MANFREDI added a comment - With the new release the private key is no longer visible. For the integration with secret manager i don't have an ETA

          I added a PR that fixes this issue on github.

          Please review carefully as this is my first contribution to a jenkins plugin

          Damian Jesionek added a comment - I added a PR that fixes this issue on github . Please review carefully as this is my first contribution to a jenkins plugin

          Note that the implementation on Github that has been merged has some issues:
          The credentials matcher and lookup:
          https://github.com/jenkinsci/ec2-plugin/blob/a8cd82ad03fae59c4b079918a43b3f62a5895b4b/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1026

          Isn't able to find an aws secrets manager secret with user + private key.

          I think the lookup type needs to be relaxed to use the credentials binding plugin interface classes instead, or something to that effect.

          Right now, this implementation is unusable with secrets retrievable from anything other than the internal secret store.

          Brett Delle Grazie added a comment - Note that the implementation on Github that has been merged has some issues: The credentials matcher and lookup: https://github.com/jenkinsci/ec2-plugin/blob/a8cd82ad03fae59c4b079918a43b3f62a5895b4b/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1026 Isn't able to find an aws secrets manager secret with user + private key. I think the lookup type needs to be relaxed to use the credentials binding plugin interface classes instead, or something to that effect. Right now, this implementation is unusable with secrets retrievable from anything other than the internal secret store.

            thoulen FABRIZIO MANFREDI
            kinnairdm Kinnaird McQuade
            Votes:
            5 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: