-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Feature: AWS client configuration (#43)
- Loading branch information
1 parent
8f428ae
commit 5510bd7
Showing
51 changed files
with
908 additions
and
289 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
# Client | ||
|
||
The plugin allows you to configure the Secrets Manager client that it uses to access secrets. | ||
|
||
**We recommend that you use the defaults whenever possible.** This will allow Jenkins to inherit AWS configuration from the environment. Only set these client options if you really need to (for example you have multiple Jenkins AWS plugins installed, and need the Secrets Manager plugin to behave differently to the others). | ||
|
||
## Credentials Provider | ||
|
||
The plugin supports the following `AWSCredentialsProvider` implementations to authenticate and authorize with Secrets Manager. | ||
|
||
*Note: This is not the same thing as a Jenkins `CredentialsProvider`.* | ||
|
||
Recommendations: | ||
|
||
- Use EC2 Instance Profiles when running Jenkins on EC2. | ||
- Only use the long-lived access key methods when there is no other choice. For example, when Jenkins is running outside of AWS. | ||
- If you see an error along the lines of "Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.", set the region manually. | ||
|
||
### Default | ||
|
||
This uses the standard AWS credentials lookup chain. | ||
|
||
The authentication methods in the chain are: | ||
|
||
- EC2 Instance Profiles. | ||
- EC2 Container Service credentials. | ||
- Environment variables (set `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION` before starting Jenkins). | ||
- Java properties (set `aws.accessKeyId`, `aws.secretKey`, and `aws.region` before starting Jenkins). | ||
- User profile (configure `~/.aws/credentials` before starting Jenkins). | ||
- Web Identity Token credentials. | ||
|
||
### Profile | ||
|
||
This allows you to use named AWS profiles from `~/.aws/config`. | ||
|
||
```yaml | ||
unclassified: | ||
awsCredentialsProvider: | ||
client: | ||
credentialsProvider: | ||
profile: | ||
profileName: "foobar" | ||
``` | ||
### STS AssumeRole | ||
This allows you to specify IAM roles inline within Jenkins. | ||
```yaml | ||
unclassified: | ||
awsCredentialsProvider: | ||
client: | ||
credentialsProvider: | ||
assumeRole: | ||
roleArn: "arn:aws:iam::111111111111:role/foo" | ||
roleSessionName: "jenkins" | ||
``` | ||
## Endpoint Configuration | ||
You can set the AWS endpoint configuration for the client. | ||
```yaml | ||
unclassified: | ||
awsCredentialsProvider: | ||
client: | ||
endpointConfiguration: | ||
serviceEndpoint: "http://localhost:4584" | ||
signingRegion: "us-east-1" | ||
``` | ||
## Region | ||
You can set the AWS region for the client. | ||
```yaml | ||
unclassified: | ||
awsCredentialsProvider: | ||
client: | ||
region: "us-east-1" | ||
``` |
123 changes: 123 additions & 0 deletions
123
src/main/java/io/jenkins/plugins/credentials/secretsmanager/config/Client.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
package io.jenkins.plugins.credentials.secretsmanager.config; | ||
|
||
import com.amazonaws.regions.Regions; | ||
import com.amazonaws.services.secretsmanager.AWSSecretsManager; | ||
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder; | ||
import hudson.Extension; | ||
import hudson.Util; | ||
import hudson.model.AbstractDescribableImpl; | ||
import hudson.model.Descriptor; | ||
import hudson.util.ListBoxModel; | ||
import io.jenkins.plugins.credentials.secretsmanager.Messages; | ||
import io.jenkins.plugins.credentials.secretsmanager.config.credentialsProvider.CredentialsProvider; | ||
import io.jenkins.plugins.credentials.secretsmanager.config.credentialsProvider.DefaultAWSCredentialsProviderChain; | ||
import org.jenkinsci.Symbol; | ||
import org.kohsuke.stapler.DataBoundConstructor; | ||
import org.kohsuke.stapler.DataBoundSetter; | ||
|
||
import javax.annotation.Nonnull; | ||
import java.io.Serializable; | ||
import java.util.Objects; | ||
|
||
public class Client extends AbstractDescribableImpl<Client> implements Serializable { | ||
|
||
private static final long serialVersionUID = 1L; | ||
|
||
private CredentialsProvider credentialsProvider; | ||
|
||
private EndpointConfiguration endpointConfiguration; | ||
|
||
private String region; | ||
|
||
@DataBoundConstructor | ||
public Client(CredentialsProvider credentialsProvider, EndpointConfiguration endpointConfiguration, String region) { | ||
this.credentialsProvider = credentialsProvider; | ||
this.endpointConfiguration = endpointConfiguration; | ||
this.region = region; | ||
} | ||
|
||
public EndpointConfiguration getEndpointConfiguration() { | ||
return endpointConfiguration; | ||
} | ||
|
||
@DataBoundSetter | ||
public void setEndpointConfiguration(EndpointConfiguration endpointConfiguration) { | ||
this.endpointConfiguration = endpointConfiguration; | ||
} | ||
|
||
public CredentialsProvider getCredentialsProvider() { | ||
return credentialsProvider; | ||
} | ||
|
||
@DataBoundSetter | ||
public void setCredentialsProvider(CredentialsProvider credentialsProvider) { | ||
this.credentialsProvider = credentialsProvider; | ||
} | ||
|
||
public String getRegion() { | ||
return region; | ||
} | ||
|
||
@DataBoundSetter | ||
public void setRegion(String region) { | ||
this.region = Util.fixEmptyAndTrim(region); | ||
} | ||
|
||
public AWSSecretsManager build() { | ||
final AWSSecretsManagerClientBuilder builder = AWSSecretsManagerClientBuilder.standard(); | ||
|
||
if (credentialsProvider != null) { | ||
builder.setCredentials(credentialsProvider.build()); | ||
} | ||
|
||
if (endpointConfiguration != null) { | ||
builder.setEndpointConfiguration(endpointConfiguration.build()); | ||
} | ||
|
||
if (region != null && !region.isEmpty()) { | ||
builder.setRegion(region); | ||
} | ||
|
||
return builder.build(); | ||
} | ||
|
||
@Override | ||
public boolean equals(Object o) { | ||
if (this == o) return true; | ||
if (o == null || getClass() != o.getClass()) return false; | ||
Client client = (Client) o; | ||
return Objects.equals(credentialsProvider, client.credentialsProvider) && | ||
Objects.equals(endpointConfiguration, client.endpointConfiguration) && | ||
Objects.equals(region, client.region); | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return Objects.hash(credentialsProvider, endpointConfiguration, region); | ||
} | ||
|
||
@Extension | ||
@Symbol("client") | ||
@SuppressWarnings("unused") | ||
public static class DescriptorImpl extends Descriptor<Client> { | ||
|
||
public CredentialsProvider getDefaultCredentialsProvider() { | ||
return new DefaultAWSCredentialsProviderChain(); | ||
} | ||
|
||
@Override | ||
@Nonnull | ||
public String getDisplayName() { | ||
return Messages.client(); | ||
} | ||
|
||
public ListBoxModel doFillRegionItems() { | ||
final ListBoxModel regions = new ListBoxModel(); | ||
regions.add("", ""); | ||
for (Regions s : Regions.values()) { | ||
regions.add(s.getDescription(), s.getName()); | ||
} | ||
return regions; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.