Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60132

Add support for AWS parameter store as a backend for storing credentials

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Feature

      Allow Jenkins to look up credentials in AWS Parameter Store. (They will be stored as Secure String parameters
      https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-securestring.html).

      Rationale

      • Storing credentials in Parameter Store can be cheaper than storing them in Secrets Manager.
      • TODO anything else?

      Questions

      • Does this belong in its own project/plugin or is there opportunity for code reuse as part of aws-secrets-manager-credentials-provider-plugin?

       

      Comparison of services

      $ = chargeable

      Feature Secrets Manager Standard Parameter Advanced Parameter
      Size 10.24kb 4kb 8kb
      Monthly cost per secret $0.40 Free $0.05
      IAM per-secret policy Yes  No Yes
      Max API calls per sec (retrieval) 1,500 ($) 40 (free)
      1,000 ($)
      40 ($)
      1,000 ($)
      Max num secrets 40,000 10,000 100,000
      String secrets Yes Yes Yes
      Binary secrets Yes No No

      Constraints

      • Jenkins should be able to source credentials from both Secrets Manager and Parameter Store. (Using one should not rule out using the other.)
      • If Jenkins encounters an error looking up secrets in one of the services, this should not impede lookups in the other. (An exception from a Secrets Manager API call should not break secret resolution in Parameter Store if PS is still functioning.)
      • Tag naming conventions should be shared in both PS and SM. (Eg a username tag should be called jenkins:credentials:username in PS, just like it is in SM today.)

        Attachments

          Activity

          Hide
          chriskilding Chris Kilding added a comment -

          I’ve refactored the feature definition to be more structured, and I’ve provided a few constraints to focus the ticket.

          Identifying how to proceed on this is a bit confusing, in part because AWS themselves seem to be confused. They have effectively built 2 services (SM and PS) which, for the task of managing secrets, seem to do the same thing (with 1 or 2 feature variations).

          In 2018 it got more confusing when they allowed PS to act as a passthrough, so it can retrieve secrets from SM (presumably with the implied extra API call and associated cost).

          Show
          chriskilding Chris Kilding added a comment - I’ve refactored the feature definition to be more structured, and I’ve provided a few constraints to focus the ticket. Identifying how to proceed on this is a bit confusing, in part because AWS themselves seem to be confused. They have effectively built 2 services (SM and PS) which, for the task of managing secrets, seem to do the same thing (with 1 or 2 feature variations). In 2018 it got more confusing when they allowed PS to act as a passthrough, so it can retrieve secrets from SM (presumably with the implied extra API call and associated cost).
          Show
          chriskilding Chris Kilding added a comment - Migrated to  https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/issues/72

            People

            Assignee:
            chriskilding Chris Kilding
            Reporter:
            stradenko C
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: