-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement read and parse JSON structured secrets from AWS secretsmanager #63
Implement read and parse JSON structured secrets from AWS secretsmanager #63
Conversation
…m AWS secretsmanager into Jenkins.
Hi, glad to hear the plugin is working for you and thanks for the PR :) I believe AWS has a particular syntax for referencing a key-value pair inside a JSON secret. This is used e.g. in CloudFormation templates. Off the top of my head I think it's something like:
There's variations on that to allow for referencing secret versions too. I think we should follow their convention if possible so that it's more intuitive for users. Let's try to figure out why the colon delimiter didn't work 🤔 |
Hey, Internally a class called
It is used to remove a potential prefix. This is a problem as in our case we are interested in this prefix. I don't think it can be disabled but maybe you can take a look as well. The method that alters the input looks as follows:
In this case var could be :
|
I'm wondering if the prefix in CasC is used to indicate the type of resolver or transformer that should be used... did you see anything around the Example in a unit test: https://github.com/jenkinsci/configuration-as-code-plugin/blob/2d26bbfb301d6d402270f00d7f99913aefa26493/plugin/src/test/java/io/jenkins/plugins/casc/SecretSourceResolverTest.java#L229 |
Yes, the prefix is used to determine what type of secret is resolved. It is a hardcoded map which contains This comes from the Java Doc:
In addition we use Right now I don't see a way to make this work without changing the underlying CasC Plugin. |
In addition, do you understand why Jenkins is using this plugin in the end? Is it just going through all potential sources and hoping that one will resolve it? I don't really understand how this is determined. |
Yes, the SecretSource resolver essentially does what you say - it iterates through all installed SecretSource implementations, until one of them successfully resolves the secret ID. I guess this works because in most cases there will be very few implementations installed - probably just the local disk/machine secret resolver, and one remote resolver (like this plugin). It would, however, get 'fun' if you were working in a multi-cloud setup and had e.g. the AWS SecretSource plus an Azure SecretSource installed. |
Ok, that makes sense but definitely also creates challenges. What do you think this means for this PR? Do you think you would like to merge it? |
I think the next thing to do would be to raise an issue with the CasC plugin saying what we'd like to achieve, the obstacle that the CasC plugin currently presents, and ask if the CasC authors can see a way to change the CasC plugin to let implementations use |
…verything else can be used in plugin
Something came to my mind when reading the documentation of the CasC plugin again to be able to open a proper issue. I think we actually don't really need a change as only the first prefix is filtered out. Please have a look at my latest change. I think it works like this as well. |
I'm curious about 2 things:
|
I guess that in the current plugin version 0.0.2 the following would happen: A user would pass the arn via CasC.yaml to the plugin like this: As the CasC plugin drops the first "prefix" before the first In the new approach you'd pass If we'd want to circumvent this we'd need a more complex Regex to match the arn pattern and react on it. |
What I'm thinking is that - rather than use We'd then parse the name to check if it starts with If casc-plugin drops the |
…or plain text for backwards compatibility.
I've just implemented this idea because I think it's actually very clever. Thanks. In addition it could potentially cause the assumption that it is possible to read from secrets from different AWS accounts. |
Now you mention it... if you've got access to a cross-account setup, could you check if providing an ARN from another account - and also providing the AWS auth config to do the cross-account login - works? |
Sorry, I don't have access to multiple AWS accounts. |
In that case no worries. Regarding the fact that the account ID would be embedded in the ARN, and therefore need to change between environments - I think this is okay because in a multi-account setup, casc.yaml is usually generated with configuration management (e.g. Terraform), so the account ID can be fed in as a template variable. |
I think the thing to do at this point is to see if the CasC plugin can make things nicer for us - perhaps, after doing its preprocessing thing, it could provide us an option to access either (a) the original secret name or (b) the original secret prefix (which, being (This would avoid us having to make the small assumption that something which starts |
Hmm... are you sure that the The author of casc-plugin has said that the |
Yes, I'm sure the prefix is filtered out. This might be a bug if the author thinks it shouldn't. Please check out my branch and run the unit test |
I've let the author of casc-plugin know about the test case showing that the prefix is removed - hopefully we'll see a response from him soon. |
@froehr @chriskilding Any updates on the status of this change? |
I think all necessary inputs are provided and we don't have it in our hands right now. From my point of view we could also just ignore the problem for now and make it a little bit less according to the standard as it will not work until fixed in the casc plugin. |
I've provided the CasC maintainers with a failing test on casc-plugin itself that demonstrates the problem, as they asked. jenkinsci/configuration-as-code-plugin#2007 Hopefully we can now work towards a fix upstream. |
@chriskilding and @froehr you would need to accept the next bom version that would include the fix for jcasc, I will make sure we get a release out for the bom :) |
If you have any idea how to improve the secret source extension resolver but again I think it would be hard to figure out who deserves to resolve things. Potentially we could enable an extension to modify the hashmap used within the prefix lookup. But that might not be the best solution. |
@jetersen will that BOM release be available for 2.289 (which is what this plugin currently uses) or will we need to bump? |
just waiting on rerun of bom and we should have a release of it. |
Release inc https://github.com/jenkinsci/bom/runs/7091074572?check_suite_focus=true |
@chriskilding you should be able to head here and force Dependabot to check dependencies now. https://github.com/jenkinsci/bom/releases/tag/1461.vb_3c6de28f2b_a_ |
pom.xml
Outdated
<groupId>com.fasterxml.jackson.core</groupId> | ||
<artifactId>jackson-databind</artifactId> | ||
<version>2.13.2</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should depend on the Jenkins jackson API plugin.
The version is defined in the plugin bill of material.
The updated BOM (with the new configuration-as-code-plugin containing the fix) is in main, rebasing this branch now... |
src/main/java/io/jenkins/plugins/casc/secretsmanager/AwsSecretsManagerSecretSource.java
Outdated
Show resolved
Hide resolved
Nearly there - tests refactored, new BOM changes integrated. Just need to tidy up the implementation and we should get to the finish line. |
One thing I would like to know is any qualifiers that might exist on an ARN that we haven't thought about yet. For example, can an ARN contain the secret version as a suffix/qualifier? If so that might cause trouble for the JSON key detection logic, which relies on the JSON key being the only thing in the ARN qualifier. |
Newsflash... I've been working to add JSON secret support to configuration-as-code-plugin. This has just been released in the latest version 1466.v2d4119502006. This means it's no longer necessary to add dedicated JSON parsing logic to the SecretSource plugin; it's all handled by the You should now be able to parse a JSON secret using the latest casc plugin, and the standard version of this plugin, like this... If you have a secret called { "username": "foo", "password": "bar" } Then reference the secret, together with the key to extract, like this: jenkins:
securityRealm:
local:
allowsSignup: false
users:
- id: "${json:username:${my-secret}}"
password: "${json:password:${my-secret}}" Give this a go and let me know if it works for you |
(Incidentally, because this logic has been hoisted into the CasC plugin, this means you can now parse a JSON secret from any secrets backend - whether that's AWS, Azure, Kubernetes, or something else.) |
So basically this PR is obsolete with the new JCasC feature? 👏 |
I'm hoping so! |
@froehr have you been able to evaluate the new JSON secret support in configuration-as-code-plugin? |
Hey,
I used your Jenkins plugin to get secrets from AWS into Jenkins. It was really helpful but I felt it would be useful if it was possible to also use secrets that contain key value pairs and are therefor stored in a json structure.
secretName>jsonKey
>
is used as a delimiter as.
or:
did not work. (see below)I had rather used
.
or:
as a delimiter instead of>
but.
is an available character in a secret name and:
is filtered out internally by Jenkins for some reason. If you have another preference please let me know.I would really like to hear your feedback on it. If you like it please merge it so that others can profit from it as well.