[JIRA] (JENKINS-61111) Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 17, 2020, 6:02:02 AM2/17/20

to jenkinsc...@googlegroups.com

Chris Kilding created an issue

Jenkins /

JENKINS-61111

Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

Issue Type:	Bug
Assignee:	Chris Kilding
Components:	aws-secrets-manager-credentials-provider-plugin
Created:	2020-02-17 11:01
Priority:	Minor
Reporter:	Chris Kilding

Given I have an AWS secret that is being used as a Jenkins credential,
When I soft-delete the secret (mark it as deleted) and it is still in its recovery window,
Then the secret is still seen in Jenkins.

Soft-deleted secrets should be hidden from Jenkins instead, as they are not intended to be used.

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 17, 2020, 6:03:02 AM2/17/20

to jenkinsc...@googlegroups.com

Chris Kilding updated an issue

Jenkins /

JENKINS-61111

Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

Change By:	Chris Kilding

Reported by [~esteinfama]

Given I have an AWS secret that is being used as a Jenkins credential,
When I soft-delete the secret (mark it as deleted) and it is still in its recovery window,
Then the secret is still seen in Jenkins.

Soft-deleted secrets should be hidden from Jenkins instead, as they are not intended to be used.

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 17, 2020, 12:57:03 PM2/17/20

to jenkinsc...@googlegroups.com

Chris Kilding commented on

JENKINS-61111

Re: Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

This is interesting because in theory we already have an integration test for this very scenario, which passes, demonstrating that it works - CredentialsProviderIT#shouldTolerateDeletedCredentials.

If that’s correct then what Ethan saw was probably a one-off event. If not, something may be wrong in this test’s soft deletion logic.

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 20, 2020, 7:15:04 AM2/20/20

to jenkinsc...@googlegroups.com

Chris Kilding edited a comment on

JENKINS-61111

Re: Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

This is interesting because in theory we already have an integration test tests for this very scenario, which passes pass , demonstrating that it works - :
* CredentialsProviderIT#shouldTolerateDeletedCredentials .

* CredentialsProviderIT#shouldTolerateRecentlyDeletedCredentials

If that’s correct then what Ethan saw was probably a one-off event. If not, something may be wrong in this test’s soft deletion logic.

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 20, 2020, 7:29:02 AM2/20/20

to jenkinsc...@googlegroups.com

Chris Kilding commented on

JENKINS-61111

Re: Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

The bit I missed was that the bug description does not say whether the deletion was recent i.e. within the 5 minute cache window.

It is expected behaviour (indeed it is a tautology) that if a secret is deleted within the cache window, its entry will continue to be shown (though it will not be functional). It is indeed an idiosyncrasy in the user experience that we would rather not have, but it is unavoidable given the current polling strategy of integrating with Secrets Manager: there is no way for Jenkins to know that the secret is (soft-)deleted until it refreshes the cache and calls Secrets Manager again.

When the time comes to refresh the cache, the ListSecretsOperation dutifully filters out soft-deleted secrets. This has been tested and is known to work.

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 20, 2020, 7:35:02 AM2/20/20

to jenkinsc...@googlegroups.com

Chris Kilding updated

JENKINS-61111

Jenkins /

JENKINS-61111

Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

Change By:	Chris Kilding
Status:	In Progress Review

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 20, 2020, 7:35:02 AM2/20/20

to jenkinsc...@googlegroups.com

Chris Kilding started work on

JENKINS-61111

Change By:	Chris Kilding
Status:	Open In Progress

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 20, 2020, 7:35:02 AM2/20/20

to jenkinsc...@googlegroups.com

Chris Kilding edited a comment on

JENKINS-61111

Re: Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

The bit I missed was that the bug description does not say whether the deletion was recent i.e. within the 5 minute cache window.

It is expected behaviour (indeed it is a tautology) that if a secret is deleted within the cache window, its entry will continue to be shown (though it will not be functional). It is indeed an idiosyncrasy in the user experience that we would rather not have, but it is unavoidable given the current polling strategy of integrating with Secrets Manager: there is no way for Jenkins to know that the secret is (soft-)deleted until it refreshes the cache and calls Secrets Manager again.

When the time comes to refresh the cache, the ListSecretsOperation dutifully filters out soft-deleted secrets. This has been tested and is known to work.

Add Comment

chris+jenkins@chriskilding.com (JIRA)

unread,

Feb 20, 2020, 7:37:03 AM2/20/20

to jenkinsc...@googlegroups.com

Chris Kilding updated

JENKINS-61111

In the absence of further information I'll have to assume that Ethan soft-deleted a secret and loaded the Jenkins credentials page within the 5-minute cache window. As mentioned, this is not something that can be fixed as long as we have to poll Secrets Manager for data.

If, in the future, AWS allows Secrets Manager API clients to subscribe for updates on a push basis, then we could revisit this.

Jenkins /

JENKINS-61111

Soft-deleted AWS Secrets Manager secrets still appear in Jenkins

Change By:	Chris Kilding
Status:	In Review Resolved
Resolution:	Won't Fix

Add Comment

Reply all

Reply to author

Forward