-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
cebb3cc
commit bdf2539
Showing
42 changed files
with
933 additions
and
114 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Beta | ||
|
||
The plugin contains the following beta features: | ||
|
||
- [Secondary IAM Roles](roles/index.md) | ||
|
||
## Warnings | ||
|
||
- Beta features are not officially supported. | ||
- Beta features may be added, changed, or removed without warning. | ||
- Beta features may break Jenkins. | ||
- Beta feature configuration must be manually updated when the config schema changes. | ||
|
||
## Recommendations | ||
|
||
- Test beta features on a non-production Jenkins. | ||
- Read the plugin release notes before upgrading. | ||
- Use Jenkins Configuration As Code (CasC). (CasC can warn you when the configuration schema changes.) | ||
- Report bugs and feedback on the Jenkins issue tracker. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
## Roles | ||
|
||
The plugin can access more secrets using secondary IAM roles. | ||
|
||
The most common use case is to access secrets in other accounts using [cross-account roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html). In this setup, Jenkins accesses secrets in its own account using its (implicit) primary role, and is assigned a secondary role for each other account that it should read secrets from. | ||
|
||
Secrets in different accounts may have the same name. To allow them to co-exist within Jenkins, credentials from primary and secondary roles use different secret attributes for their IDs: | ||
|
||
<table> | ||
<thead> | ||
<tr> | ||
<td>Role</td> | ||
<td>Credential ID</td> | ||
</tr> | ||
</thead> | ||
<tbody> | ||
<tr> | ||
<td>Primary</td> | ||
<td>Secret Name</td> | ||
</tr> | ||
<tr> | ||
<td>Secondary</td> | ||
<td>Secret ARN</td> | ||
</tr> | ||
</tbody> | ||
</table> | ||
|
||
## Setup | ||
|
||
For each secondary role: | ||
|
||
1. Create the role and associated policies in AWS. | ||
2. Test that Jenkins can assume the role and retrieve secrets. | ||
3. Add the role ARN to the `roles` list in the plugin configuration. | ||
|
||
```yaml | ||
unclassified: | ||
awsCredentialsProvider: | ||
beta: | ||
roles: | ||
- arn:aws:iam::111111111111:role/foo | ||
- arn:aws:iam::222222222222:role/bar | ||
``` | ||
## Considerations | ||
**Do not add more roles than necessary.** Each additional role necessitates another set of HTTP requests to retrieve secrets. This increases the time to populate the credential list. It also increases the risk of service degradation, as any of those requests could fail. | ||
## Limitations | ||
The primary role cannot currently be turned off. This might be a problem if you use the primary role to access a gateway account, and the secondary roles to access your 'real' accounts, and don't want Jenkins to use Secrets Manager in the gateway account. |
11 changes: 11 additions & 0 deletions
11
src/main/java/io/jenkins/plugins/credentials/secretsmanager/AssumeRoleDefaults.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package io.jenkins.plugins.credentials.secretsmanager; | ||
|
||
public abstract class AssumeRoleDefaults { | ||
|
||
public static final int SESSION_DURATION_SECONDS = 900; | ||
public static final String SESSION_NAME = "io.jenkins.plugins.aws-secrets-manager-credentials-provider"; | ||
|
||
private AssumeRoleDefaults() { | ||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
src/main/java/io/jenkins/plugins/credentials/secretsmanager/config/ARN.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
package io.jenkins.plugins.credentials.secretsmanager.config; | ||
|
||
import hudson.Extension; | ||
import hudson.model.AbstractDescribableImpl; | ||
import hudson.model.Descriptor; | ||
import io.jenkins.plugins.credentials.secretsmanager.Messages; | ||
import org.jenkinsci.Symbol; | ||
import org.kohsuke.stapler.DataBoundConstructor; | ||
import org.kohsuke.stapler.DataBoundSetter; | ||
|
||
import javax.annotation.Nonnull; | ||
import java.io.Serializable; | ||
|
||
public class ARN extends AbstractDescribableImpl<ARN> implements Serializable { | ||
|
||
private static final long serialVersionUID = 1L; | ||
|
||
private String value; | ||
|
||
@DataBoundConstructor | ||
public ARN(String value) { | ||
this.value = value; | ||
} | ||
|
||
public String getValue() { | ||
return value; | ||
} | ||
|
||
@DataBoundSetter | ||
public void setValue(String value) { | ||
this.value = value; | ||
} | ||
|
||
@Extension | ||
@Symbol("arn") | ||
@SuppressWarnings("unused") | ||
public static class DescriptorImpl extends Descriptor<ARN> { | ||
|
||
@Override | ||
@Nonnull | ||
public String getDisplayName() { | ||
return Messages.arn(); | ||
} | ||
|
||
} | ||
} |
50 changes: 50 additions & 0 deletions
50
src/main/java/io/jenkins/plugins/credentials/secretsmanager/config/Beta.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
package io.jenkins.plugins.credentials.secretsmanager.config; | ||
|
||
import hudson.Extension; | ||
import hudson.model.AbstractDescribableImpl; | ||
import hudson.model.Descriptor; | ||
import io.jenkins.plugins.credentials.secretsmanager.Messages; | ||
import org.jenkinsci.Symbol; | ||
import org.kohsuke.stapler.DataBoundConstructor; | ||
import org.kohsuke.stapler.DataBoundSetter; | ||
|
||
import javax.annotation.Nonnull; | ||
import java.io.Serializable; | ||
|
||
/** | ||
* Configuration for beta features. | ||
*/ | ||
public class Beta extends AbstractDescribableImpl<Beta> implements Serializable { | ||
|
||
private static final long serialVersionUID = 1L; | ||
|
||
/** | ||
* The IAM role ARNs to assume. For multi-account secrets retrieval. | ||
*/ | ||
private Roles roles; | ||
|
||
@DataBoundConstructor | ||
public Beta(Roles roles) { | ||
this.roles = roles; | ||
} | ||
|
||
public Roles getRoles() { | ||
return roles; | ||
} | ||
|
||
@DataBoundSetter | ||
public void setRoles(Roles roles) { | ||
this.roles = roles; | ||
} | ||
|
||
@Extension | ||
@Symbol("beta") | ||
@SuppressWarnings("unused") | ||
public static class DescriptorImpl extends Descriptor<Beta> { | ||
@Override | ||
@Nonnull | ||
public String getDisplayName() { | ||
return Messages.beta(); | ||
} | ||
} | ||
} |
Oops, something went wrong.