AWS Secrets Manager backend for the Jenkins SecretSource API.
The plugin allows JCasC to interpolate string secrets from Secrets Manager. It is the low-level counterpart of the AWS Secrets Manager Credentials Provider plugin. It can be used standalone, or together with the Credentials Provider.
Give Jenkins read access to Secrets Manager with an IAM policy.
Required permissions:
secretsmanager:GetSecretValue
Optional permissions:
kms:Decrypt
(if you use a customer-managed KMS key to encrypt the secret)
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowJenkinsToGetSecretValues",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
The plugin uses the AWS Java SDK to communicate with Secrets Manager. If you are running Jenkins outside EC2, ECS, or EKS you may need to manually configure the SDK to authenticate with AWS. See the official AWS documentation for more information.
Create secret:
aws secretsmanager create-secret --name 'my-secret' --secret-string 'abc123' --description 'Jenkins user password'
Reference it by name:
jenkins:
securityRealm:
local:
allowsSignup: false
users:
- id: "some_user"
password: "${my-secret}"
Create secret:
aws secretsmanager create-secret --name 'my-secret' --secret-string '{"foo": "some_user", "bar": "abc123" }' --description 'Jenkins user password'
Reference it using the CasC json
helper:
jenkins:
securityRealm:
local:
allowsSignup: false
users:
- id: "${json:foo:${my-secret}}"
password: "${json:bar:${my-secret}}"
Version tags for this plugin are of the format:
<major>.<autogenerated>
For example 1.55.v0fcce24a_9501
.
The <major>
prefix is incremented to indicate breaking changes in the plugin. When this happens, please read the release notes and test the plugin extra carefully before deploying it to production. To assist users of the Jenkins Update Center we will also add an hpi.compatibleSinceVersion
annotation to the POM.
The <autogenerated>
part is created by the Jenkins automated plugin release system. This is incremented on any non-breaking (minor) change, e.g. new features, bug fixes, or dependency updates. It should normally be safe to adopt these changes straight away.
- Docker
- Java 11+
- Maven
In Maven:
mvn clean verify
In your IDE:
- Generate translations:
mvn localizer:generate
. (This is a one-off task. You only need to re-run this if you change the translations, or if you clean the Maventarget
directory.) - Compile.
- Start Moto:
mvn docker:build docker:start
. - Run tests.
- Stop Moto:
mvn docker:stop
.