[JIRA] (JENKINS-60695) "Filter by AWS secret namespace ID" not working

17 views
Skip to first unread message

domi@fortysix.ch (JIRA)

unread,
Jan 8, 2020, 8:41:02 AM1/8/20
to jenkinsc...@googlegroups.com
Dominik Bartholdi created an issue
 
Jenkins / Bug JENKINS-60695
"Filter by AWS secret namespace ID" not working
Issue Type: Bug Bug
Assignee: Chris Kilding
Components: aws-secrets-manager-credentials-provider-plugin
Created: 2020-01-08 13:40
Priority: Major Major
Reporter: Dominik Bartholdi

I created credentials like this: 

aws secretsmanager create-secret --name 'jks/DB_USER_XXXXX' --secret-string 'zzzzzz' --tags 'Key=jenkins:credentials:username,Value=uuuuu' --description 'dddddddd'

Then I used the documented policy template: https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/blob/master/docs/iam/secret-namespace-id.json to filter credentials by a namespace. 

My complete policy looked like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:::secret:jks/*",
            "Effect": "Allow"
        },
        {
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

unfortunate this ends up in this error:

com.cloudbees.plugins.credentials.CredentialsUnavailableException: Property 'secret' is currently unavailable, reason: Could not retrieve the credential jks/DB_USER_XXXXX from AWS Secrets Manager
	at io.jenkins.plugins.credentials.secretsmanager.RealAwsCredentials.getSecretValue(RealAwsCredentials.java:44)
	at io.jenkins.plugins.credentials.secretsmanager.AwsCredentials.getSecretString(AwsCredentials.java:127)
	at io.jenkins.plugins.credentials.secretsmanager.AwsCredentials.getPassword(AwsCredentials.java:70)
	at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:78)
	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:135)

 

When setting the `"Resource": "*"` for `secretsmanager:GetSecretValue` too, then it works, but the namespace filter does not work.

 

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 14, 2020, 9:38:06 AM1/14/20
to jenkinsc...@googlegroups.com
Chris Kilding commented on Bug JENKINS-60695
 
Re: "Filter by AWS secret namespace ID" not working

We don't use this feature ourselves (yet) but it was in the AWS documentation, and might be relevant to some plugin users, so I thought I'd better mention it in the README.

It's quite possible that the ARN filter is not in the right format. Would you be able to toy with it in the AWS CLI and find a filter pattern that does work? Then we could fix the example.

Have a look at the AWS docs for inspiration: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html 

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 23, 2020, 7:05:02 AM1/23/20
to jenkinsc...@googlegroups.com
Chris Kilding started work on Bug JENKINS-60695
 
Change By: Chris Kilding
Status: Open In Progress

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 23, 2020, 7:06:02 AM1/23/20
to jenkinsc...@googlegroups.com

Started work in GitHub PR #20

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 24, 2020, 5:21:03 AM1/24/20
to jenkinsc...@googlegroups.com
Change By: Chris Kilding
Status: In Progress Review

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 24, 2020, 5:21:03 AM1/24/20
to jenkinsc...@googlegroups.com
Change By: Chris Kilding
Status: In Review Resolved
Resolution: Fixed
Reply all
Reply to author
Forward
0 new messages