Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60132

Add support for AWS parameter store as a backend for storing credentials

XMLWordPrintable

      Feature

      Allow Jenkins to look up credentials in AWS Parameter Store. (They will be stored as Secure String parameters
      https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-securestring.html).

      Rationale

      • Storing credentials in Parameter Store can be cheaper than storing them in Secrets Manager.
      • TODO anything else?

      Questions

      • Does this belong in its own project/plugin or is there opportunity for code reuse as part of aws-secrets-manager-credentials-provider-plugin?

       

      Comparison of services

      $ = chargeable

      Feature Secrets Manager Standard Parameter Advanced Parameter
      Size 10.24kb 4kb 8kb
      Monthly cost per secret $0.40 Free $0.05
      IAM per-secret policy Yes  No Yes
      Max API calls per sec (retrieval) 1,500 ($) 40 (free)
      1,000 ($)      		 40 ($)
      1,000 ($)
      Max num secrets 40,000 10,000 100,000
      String secrets Yes Yes Yes
      Binary secrets Yes No No

      Constraints

      • Jenkins should be able to source credentials from both Secrets Manager and Parameter Store. (Using one should not rule out using the other.)
      • If Jenkins encounters an error looking up secrets in one of the services, this should not impede lookups in the other. (An exception from a Secrets Manager API call should not break secret resolution in Parameter Store if PS is still functioning.)
      • Tag naming conventions should be shared in both PS and SM. (Eg a username tag should be called jenkins:credentials:username in PS, just like it is in SM today.)

            chriskilding Chris Kilding
            stradenko C
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: