Questions about masking and managing credentials

[niko...@gmail.com]

Hi Jenkins users,

Me and a colleague are trying to make our Jenkins infrastructure nice and config-as-code-y and reproducible, and it works nicely except that we haven't yet found a good way to store and obfuscate credentials.

Here's what we're currently doing:

1.  Store all initial config using the Configuration-as-Code plugin (https://github.com/jenkinsci/configuration-as-code-plugin)

2. Store credentials in AWS SSM Parameter Store using the CasC SSM plugin, loading them using an instance profile (https://github.com/jenkinsci/configuration-as-code-secret-ssm-plugin) 

3. Load all jobs from seed job DSL on first boot

That way, it's easy to replace the Jenkins host for patching, and doing that on a regular basis makes sure that all CI jobs and config go through a pull request process by cleaning house on a regular basis :)

The problem with this is that AWS Parameter Store only supports storing string type parameters, and I can't find a smart way to turn SSM strings into files or other credential objects in the configuration as code plugin. In theory storing SSH keys/Ansible vault passphrases and similar as strings should be OK, as you could just write the secure string into a file in a shell step in a job. But in reality, while the logic that redacts credentials works nicely for short strings, it seems to be happy to print the value of the key out when I do `echo $SSH_KEY > file.txt`.

Does anyone know how that redaction gets evaluated? It says in the log "Masking only exact matches of $SECRET or $SSH_KEY". My guess is that line breaks/text wrapping is throwing it off. Which is fair enough, since there's a perfectly good SSH credential type!

If anyone has ideas about  

- a way to make sure the long secret text value gets redacted

- a way to manage to load AWS SSM Parameter Store SecureStrings as something other than text type Jenkins credentials

- or another credential that integrates with the Config-as-Code plugin

I'd appreciate it.

Thanks for reading - have a good weekend!

Nikki

[Ivan Fernandez Calvo]

I’ve face a similar issue a few week ago, finally y workaround it by converting secrets to base64 then storing secrets into credentials, the problem it is that it is not possible to store multi line text into secret text credentials