[JIRA] (JENKINS-59671) Support storing multiple Jenkins credentials in a single Secrets Manager secret

7 views
Skip to first unread message

chris+jenkins@chriskilding.com (JIRA)

unread,
Oct 4, 2019, 4:39:04 PM10/4/19
to jenkinsc...@googlegroups.com
Chris Kilding created an issue
 
Jenkins / Improvement JENKINS-59671
Support storing multiple Jenkins credentials in a single Secrets Manager secret
Issue Type: Improvement Improvement
Assignee: Chris Kilding
Components: aws-secrets-manager-credentials-provider-plugin
Created: 2019-10-04 20:38
Priority: Minor Minor
Reporter: Chris Kilding

The mapping of AWS Secret to Jenkins Credential is strictly 1:1 at t he moment. The secretString or secretBinary field is used verbatim as the credential's data: we do not attempt to parse JSON inside the secretString. Credential metadata, if any, maps to the relevant metadata fields on the secret (description and tags).

Consider whether we can support multiple credentials per secret, and maybe even user-defined JSON schemas for those secrets to allow credential metadata to be set in custom formats.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

chris+jenkins@chriskilding.com (JIRA)

unread,
Dec 11, 2019, 6:04:02 AM12/11/19
to jenkinsc...@googlegroups.com
Chris Kilding commented on Improvement JENKINS-59671
 
Re: Support storing multiple Jenkins credentials in a single Secrets Manager secret

After further consideration, there are significant problems with storing multiple credentials in 1 AWS secret:

  • An AWS binary secret cannot hold multiple PKCS#12 certificate credentials, (a) because a single certificate cred is close to the secret size limits already (b) because there would be no indicator of where one certificate ended and the next began, without inventing a custom binary schema and adding extra parsing code.
  • Credentials tracking & Cloudwatch logs. The 1:1 model makes this easy: accessing 1 credential creates 1 entry in Cloudwatch. If there are multiple credentials in a secret, we cannot know from Cloudwatch which one was actually used.
  • Permissions. The 1:1 model makes permissions easy: if you granted access to a secret in IAM, Jenkins can access that secret. If we have multiple creds per secret we cannot limit access to individual creds with IAM.

chris+jenkins@chriskilding.com (JIRA)

unread,
Dec 11, 2019, 6:35:02 AM12/11/19
to jenkinsc...@googlegroups.com

I don’t believe the above problems are solvable without significantly complicating the plugin, or adding the possibility of users misunderstanding the credential storage format in Secrets Manager. I’m therefore inclined to close this ticket as wontfix, unless anyone has other ideas.

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 10, 2020, 6:10:01 AM1/10/20
to jenkinsc...@googlegroups.com
Chris Kilding resolved as Won't Do
 
Change By: Chris Kilding
Status: Open Resolved
Resolution: Won't Do
Reply all
Reply to author
Forward
0 new messages