AWS Secrets Manager SecretSource

Build Status Jenkins Plugin

AWS Secrets Manager backend for the Jenkins SecretSource API.

The plugin allows JCasC to interpolate string secrets from Secrets Manager. It is the low-level counterpart of the AWS Secrets Manager Credentials Provider plugin. It can be used standalone, or together with the Credentials Provider.

Setup

IAM

Give Jenkins read access to Secrets Manager with an IAM policy.

Required permissions:

  • secretsmanager:GetSecretValue

Optional permissions:

  • kms:Decrypt (if you use a customer-managed KMS key to encrypt the secret)

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowJenkinsToGetSecretValues",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}

Jenkins

The plugin uses the AWS Java SDK to communicate with Secrets Manager. If you are running Jenkins outside EC2, ECS, or EKS you may need to manually configure the SDK to authenticate with AWS. See the official AWS documentation for more information.

Usage

Text secrets

Create secret:

aws secretsmanager create-secret --name 'my-secret' --secret-string 'abc123' --description 'Jenkins user password'

Reference it by name:

jenkins:
  securityRealm:
    local:
      allowsSignup: false
      users:
      - id: "some_user"
        password: "${my-secret}"

JSON secrets

Create secret:

aws secretsmanager create-secret --name 'my-secret' --secret-string '{"foo": "some_user", "bar": "abc123" }' --description 'Jenkins user password'

Reference it using the CasC json helper:

jenkins:
  securityRealm:
    local:
      allowsSignup: false
      users:
      - id: "${json:foo:${my-secret}}"
        password: "${json:bar:${my-secret}}"

Versioning

Version tags for this plugin are of the format:

<major>.<autogenerated>

For example 1.55.v0fcce24a_9501.

The <major> prefix is incremented to indicate breaking changes in the plugin. When this happens, please read the release notes and test the plugin extra carefully before deploying it to production. To assist users of the Jenkins Update Center we will also add an hpi.compatibleSinceVersion annotation to the POM.

The <autogenerated> part is created by the Jenkins automated plugin release system. This is incremented on any non-breaking (minor) change, e.g. new features, bug fixes, or dependency updates. It should normally be safe to adopt these changes straight away.

Development

Dependencies

  • Docker
  • Java 11+
  • Maven

Build

In Maven:

mvn clean verify

In your IDE:

  1. Generate translations: mvn localizer:generate. (This is a one-off task. You only need to re-run this if you change the translations, or if you clean the Maven target directory.)
  2. Compile.
  3. Start Moto: mvn docker:build docker:start.
  4. Run tests.
  5. Stop Moto: mvn docker:stop.