-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Chris Kilding
authored and
Chris Kilding
committed
Apr 17, 2019
0 parents
commit f0e7e64
Showing
45 changed files
with
1,877 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Compiled class file | ||
| *.class | ||
|
|
||
| # Log file | ||
| *.log | ||
|
|
||
| # BlueJ files | ||
| *.ctxt | ||
|
|
||
| # Mobile Tools for Java (J2ME) | ||
| .mtj.tmp/ | ||
|
|
||
| # Package Files # | ||
| *.jar | ||
| *.war | ||
| *.ear | ||
| *.zip | ||
| *.tar.gz | ||
| *.rar | ||
|
|
||
| # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml | ||
| hs_err_pid* | ||
|
|
||
| # Others | ||
|
|
||
| .DS_Store | ||
| .idea | ||
| *.iml | ||
| target/ | ||
| Messages.properties |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| buildPlugin() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| MIT License | ||
|
|
||
| Copyright (c) 2019 Chris Kilding | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,132 @@ | ||
| # AWS Secrets Manager Credentials Provider Plugin | ||
|
|
||
| Access credentials from AWS Secrets Manager in your Jenkins jobs. (Specify shared secrets once in your AWS account, use them from Jenkins.) | ||
|
|
||
| Features: | ||
|
|
||
| - Read-only view of Secrets Manager. | ||
| - Credential metadata caching (duration: 5 minutes). | ||
| - Jenkins [Configuration As Code](https://github.com/jenkinsci/configuration-as-code-plugin) support. | ||
|
|
||
| Settings: | ||
|
|
||
| - Filters | ||
| - Filter secrets by tag | ||
| - Endpoint Configuration | ||
| - Service Endpoint | ||
| - Signing Region | ||
|
|
||
| ## Setup | ||
|
|
||
| ### Jenkins | ||
|
|
||
| Install and configure the plugin. | ||
|
|
||
| ```bash | ||
| curl -s -o /var/lib/jenkins/plugins/aws-secrets-manager-credentials-provider.hpi https://example.com/aws-secrets-manager-credentials-provider.hpi | ||
| ``` | ||
|
|
||
| ### AWS IAM | ||
|
|
||
| Give Jenkins an [IAM policy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html) with read access to AWS Secrets Manager. | ||
|
|
||
| Required permissions: | ||
|
|
||
| - `secretsmanager:GetSecretValue` (resource: `*`) | ||
| - `secretsmanager:ListSecrets` | ||
|
|
||
| Optional permissions: | ||
|
|
||
| - `kms:Decrypt` (if you use a customer-managed AWS KMS key to encrypt the secret) | ||
|
|
||
| ## Usage | ||
|
|
||
| ### AWS Secrets Manager | ||
|
|
||
| Upload secrets to AWS Secrets Manager in the format "1 secret value = 1 AWS Secret" (see [documentation](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/create-secret.html)). | ||
|
|
||
| Text: | ||
|
|
||
| ```bash | ||
| aws secretsmanager create-secret --name 'newrelic-token' --description 'Acme Corp Newrelic API token' --secret-string 'abc123' | ||
| ``` | ||
|
|
||
| Username + Password: | ||
|
|
||
| ```bash | ||
| aws secretsmanager create-secret --name 'artifactory-username' --description 'Acme Corp Artifactory username' --secret-string 'joe' | ||
| aws secretsmanager create-secret --name 'artifactory-password' --description 'Acme Corp Artifactory password' --secret-string 'supersecret' | ||
| ``` | ||
|
|
||
| SSH key: | ||
|
|
||
| ```bash | ||
| ssh-keygen -t rsa -b 4096 -C '[email protected]' -f id_rsa | ||
| aws secretsmanager create-secret --name 'ssh-key' --description 'Acme Corp SSH key' --secret-string 'file://id_rsa' | ||
| ``` | ||
|
|
||
| ### Jenkinsfile | ||
|
|
||
| Reference a secret in Secrets Manager by its name in a build job: | ||
|
|
||
| ```groovy | ||
| pipeline { | ||
| environment { | ||
| ARTIFACTORY_USERNAME = credentials("artifactory-username") | ||
| ARTIFACTORY_PASSWORD = credentials("artifactory-password") | ||
| } | ||
| stages { | ||
| stage("Deploy") { | ||
| sh "mvn deploy" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Configuration | ||
|
|
||
| The plugin's default behavior requires **no configuration**. | ||
|
|
||
| Customise the plugin using the Web UI or [Jenkins Configuration As Code](https://github.com/jenkinsci/configuration-as-code-plugin). | ||
|
|
||
| ```yaml | ||
| unclassified: | ||
| awsCredentialsProvider: | ||
| filters: | ||
| tag: | ||
| key: product | ||
| value: roadrunner | ||
| endpointConfiguration: | ||
| serviceEndpoint: http://localhost:4584 | ||
| signingRegion: us-east-1 | ||
| ``` | ||
| ## Bugs | ||
| - All secrets must be uploaded via the AWS CLI or API. This is because the AWS Web console *currently* insists on wrapping your secret string in JSON. | ||
| - All secrets must be in "secret string" format (not "secret binary") as Jenkins will parse them into (UTF-8) string credentials. You can base64 encode a binary secret to work around this. | ||
| ## Development | ||
| Dependencies: | ||
| - Java 8 | ||
| - Maven | ||
| - Moto (a specific fork with `ListSecrets` support: <https://github.com/chriskilding/moto/tree/feature/secretsmanager-listsecrets>) | ||
|
|
||
| Setup: | ||
|
|
||
| - Install the Moto fork to your system with `pip`. | ||
| - Ensure that `moto_server` is on your `PATH` (the command `moto_server -p 4584` should launch the forked code in standalone server mode). | ||
|
|
||
| Test: | ||
|
|
||
| ```bash | ||
| mvn verify | ||
| ``` | ||
|
|
||
| ## Screenshots | ||
|
|
||
| AWS Secrets Manager secrets listed in the Jenkins credentials screen: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # Examples: IAM | ||
|
|
||
| Typical Secrets Manager IAM policies and customisations for use with this Jenkins plugin. | ||
|
|
||
| ## Default | ||
|
|
||
| The default policy: | ||
|
|
||
| ```json | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": "secretsmanager:GetSecretValue", | ||
| "Resource": "*" | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": "secretsmanager:ListSecrets" | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| ## Restrict to specific secret | ||
|
|
||
| Restrict access to a specific secret like this: | ||
|
|
||
| ```json | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": "secretsmanager:GetSecretValue", | ||
| "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>" | ||
| } | ||
| ``` | ||
|
|
||
| ## Restrict to specific secret namespace | ||
|
|
||
| Restrict access to a namespace of secrets like this: | ||
|
|
||
| ```json | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": "secretsmanager:GetSecretValue", | ||
| "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<namespace>/*" | ||
| } | ||
| ``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.