Allow Jenkins to look up credentials in AWS Parameter Store. (They will be stored as Secure String parameters
- Storing credentials in Parameter Store can be cheaper than storing them in Secrets Manager.
- TODO anything else?
- Does this belong in its own project/plugin or is there opportunity for code reuse as part of aws-secrets-manager-credentials-provider-plugin?
Comparison of services
$ = chargeable
|Feature||Secrets Manager||Standard Parameter||Advanced Parameter|
|Monthly cost per secret||$0.40||Free||$0.05|
|IAM per-secret policy||Yes||No||Yes|
|Max API calls per sec (retrieval)||1,500 ($)||40 (free)
|Max num secrets||40,000||10,000||100,000|
- Jenkins should be able to source credentials from both Secrets Manager and Parameter Store. (Using one should not rule out using the other.)
- If Jenkins encounters an error looking up secrets in one of the services, this should not impede lookups in the other. (An exception from a Secrets Manager API call should not break secret resolution in Parameter Store if PS is still functioning.)
- Tag naming conventions should be shared in both PS and SM. (Eg a username tag should be called jenkins:credentials:username in PS, just like it is in SM today.)