Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59671

Support storing multiple Jenkins credentials in a single Secrets Manager secret

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The mapping of AWS Secret to Jenkins Credential is strictly 1:1 at the moment. The secretString or secretBinary field is used verbatim as the credential's data: we do not attempt to parse JSON inside the secretString. Credential metadata, if any, maps to the relevant metadata fields on the secret (description and tags).

      Consider whether we can support multiple credentials per secret, and maybe even user-defined JSON schemas for those secrets to allow credential metadata to be set in custom formats.

        Attachments

          Issue Links

            Activity

            Hide
            chriskilding Chris Kilding added a comment -

            After further consideration, there are significant problems with storing multiple credentials in 1 AWS secret:

            • An AWS binary secret cannot hold multiple PKCS#12 certificate credentials, (a) because a single certificate cred is close to the secret size limits already (b) because there would be no indicator of where one certificate ended and the next began, without inventing a custom binary schema and adding extra parsing code.
            • Credentials tracking & Cloudwatch logs. The 1:1 model makes this easy: accessing 1 credential creates 1 entry in Cloudwatch. If there are multiple credentials in a secret, we cannot know from Cloudwatch which one was actually used.
            • Permissions. The 1:1 model makes permissions easy: if you granted access to a secret in IAM, Jenkins can access that secret. If we have multiple creds per secret we cannot limit access to individual creds with IAM.
            Show
            chriskilding Chris Kilding added a comment - After further consideration, there are significant problems with storing multiple credentials in 1 AWS secret: An AWS binary secret cannot hold multiple PKCS#12 certificate credentials, (a) because a single certificate cred is close to the secret size limits already (b) because there would be no indicator of where one certificate ended and the next began, without inventing a custom binary schema and adding extra parsing code. Credentials tracking & Cloudwatch logs. The 1:1 model makes this easy: accessing 1 credential creates 1 entry in Cloudwatch. If there are multiple credentials in a secret, we cannot know from Cloudwatch which one was actually used. Permissions. The 1:1 model makes permissions easy: if you granted access to a secret in IAM, Jenkins can access that secret. If we have multiple creds per secret we cannot limit access to individual creds with IAM.
            Hide
            chriskilding Chris Kilding added a comment -

            I don’t believe the above problems are solvable without significantly complicating the plugin, or adding the possibility of users misunderstanding the credential storage format in Secrets Manager. I’m therefore inclined to close this ticket as wontfix, unless anyone has other ideas.

            Show
            chriskilding Chris Kilding added a comment - I don’t believe the above problems are solvable without significantly complicating the plugin, or adding the possibility of users misunderstanding the credential storage format in Secrets Manager. I’m therefore inclined to close this ticket as wontfix, unless anyone has other ideas.
            Hide
            palermo Bruno Palermo added a comment - - edited

            Chris Kilding this feature would allow 1:1 between pipeline and secret. If the pipeline uses multiples secrets it could be store all together. JSON support could be opt-in.

             

            Show
            palermo Bruno Palermo added a comment - - edited Chris Kilding this feature would allow 1:1 between pipeline and secret. If the pipeline uses multiples secrets it could be store all together. JSON support could be opt-in.  

              People

              Assignee:
              chriskilding Chris Kilding
              Reporter:
              chriskilding Chris Kilding
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: