search

jenkinsci / aws-secrets-manager-credentials-provider-plugin

AWS Secrets Manager Credentials Provider for Jenkins
https://plugins.jenkins.io/aws-secrets-manager-credentials-provider/
MIT License
64 stars 42 forks source link

File Credentials stored in AWS cannot be validated #311

Open daugustus opened 5 months ago

daugustus commented 5 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.401.3 OS: Linux - 3.10.0-1160.90.1.el7.x86_64 Java: 11.0.21 - Red Hat, Inc. (OpenJDK 64-Bit Server VM) --- ace-editor:1.1 active-directory:2.31 amazon-ecr:1.114.vfd22430621f5 amazon-ecs:1.48 analysis-model-api:11.10.0 anchore-container-scanner:1.0.25 ansicolor:1.0.2 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.2.1-1.1 artifactory:3.18.8 authentication-tokens:1.53.v1c90fd9191a_b_ authorize-project:1.7.1 aws-codepipeline:0.46 aws-credentials:218.v1b_e9466ec5da_ aws-java-sdk:1.12.529-406.vdeff15e5817d aws-java-sdk-cloudformation:1.12.529-406.vdeff15e5817d aws-java-sdk-codebuild:1.12.529-406.vdeff15e5817d aws-java-sdk-ec2:1.12.529-406.vdeff15e5817d aws-java-sdk-ecr:1.12.529-406.vdeff15e5817d aws-java-sdk-ecs:1.12.529-406.vdeff15e5817d aws-java-sdk-efs:1.12.529-406.vdeff15e5817d aws-java-sdk-elasticbeanstalk:1.12.529-406.vdeff15e5817d aws-java-sdk-iam:1.12.529-406.vdeff15e5817d aws-java-sdk-kinesis:1.12.529-406.vdeff15e5817d aws-java-sdk-logs:1.12.529-406.vdeff15e5817d aws-java-sdk-minimal:1.12.529-406.vdeff15e5817d aws-java-sdk-secretsmanager:1.12.529-406.vdeff15e5817d aws-java-sdk-sns:1.12.529-406.vdeff15e5817d aws-java-sdk-sqs:1.12.529-406.vdeff15e5817d aws-java-sdk-ssm:1.12.529-406.vdeff15e5817d aws-secrets-manager-credentials-provider:1.213.vca_3f37306fed aws-secrets-manager-secret-source:1.72.v61781b_35c542 badge:1.9.1 blueocean:1.27.5 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.8 blueocean-commons:1.27.8 blueocean-config:1.27.8 blueocean-core-js:1.27.8 blueocean-dashboard:1.27.8 blueocean-display-url:2.4.2 blueocean-events:1.27.8 blueocean-git-pipeline:1.27.8 blueocean-github-pipeline:1.27.8 blueocean-i18n:1.27.8 blueocean-jira:1.27.8 blueocean-jwt:1.27.8 blueocean-personalization:1.27.8 blueocean-pipeline-api-impl:1.27.8 blueocean-pipeline-editor:1.27.8 blueocean-pipeline-scm-api:1.27.8 blueocean-rest:1.27.8 blueocean-rest-impl:1.27.8 blueocean-web:1.27.8 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.2-1 bouncycastle-api:2.29 branch-api:2.1128.v717130d4f816 build-name-setter:2.3.0 build-timeout:1.31 build-user-vars-plugin:1.9 build-with-parameters:76.v9382db_f78962 buildtriggerbadge:251.vdf6ef853f3f5 caffeine-api:3.1.8-133.v17b_1ff2e0599 categorized-view:1.12 checks-api:2.0.2 cisco-spark-notifier:1.1.1 cloud-stats:320.v96b_65297a_4b_b_ cloudbees-bitbucket-branch-source:832.v43175a_425ea_6 cloudbees-folder:6.848.ve3b_fd7839a_81 cobertura:1.17 code-coverage-api:4.9.0 command-launcher:106.vb_a_b_8f751309c commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1 conditional-buildstep:1.4.3 config-file-provider:959.vcff671a_4518b_ configuration-as-code:1700.v6f448841296e convert-to-pipeline:1.0 copyartifact:714.v28a_34f8c563f credentials:1293.vff276f713473 credentials-binding:636.v55f1275c7b_27 cucumber-reports:5.7.6 custom-markup-formatter:29.ve5d4614ca_d01 customized-build-message:1.1 dashboard-view:2.495.v07e81500c3f2 data-tables-api:1.13.6-5 display-url-api:2.200.vb_9327d658781 docker-build-publish:1.4.0 docker-commons:439.va_3cb_0a_6a_fb_29 docker-java-api:3.3.1-79.v20b_53427e041 docker-plugin:1.4 docker-workflow:563.vd5d2e5c4007f durable-task:523.va_a_22cf15d5e0 ec2:2.0.7 echarts-api:5.4.0-6 email-ext:2.102 emailext-template:1.5 embeddable-build-status:412.v09da_db_1dee68 envinject:2.908.v66a_774b_31d93 envinject-api:1.199.v3ce31253ed13 extended-choice-parameter:376.v2e02857547b_a_ extensible-choice-parameter:1.8.1 external-monitor-job:207.v98a_a_37a_85525 extra-columns:1.26 favorite:2.4.3 font-awesome-api:6.4.2-1 forensics-api:2.3.0 gatling:1.3.0 git:5.2.0 git-changelog:3.34 git-client:4.5.0 git-parameter:0.9.19 git-server:99.va_0826a_b_cdfa_d github:1.37.3 github-api:1.316-451.v15738eef3414 github-branch-source:1741.va_3028eb_9fd21 gitlab-plugin:1.7.16 golang:1.4 google-login:1.7 gradle:2.8.2 groovy-label-assignment:1.2.0 groovy-postbuild:2.5 h2-api:11.1.4.199-12.v9f4244395f7a_ handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 htmlpublisher:1.32 http_request:1.18 instance-identity:173.va_37c494ec4e5 ionicons-api:56.v1b_1c8c49374e ivy:2.5 jackson2-api:2.15.3-366.vfe8d1fa_f8c87 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.8 jenkins-jira-issue-updater:1.18 jersey2-api:2.40-1 jira:3.10 jira-steps:2.0.165.v8846cf59f3db jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.84 jquery:1.12.4-1 jquery3-api:3.7.1-1 jsch:0.2.8-65.v052c39de79b_2 junit:1240.vf9529b_881428 kubernetes:4054.v2da_8e2794884 kubernetes-cli:1.12.0 kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_ kubernetes-credentials:0.11 ldap:694.vc02a_69c9787f lockable-resources:1185.v0c528656ce04 mailer:463.vedf8358e006b_ markdown-formatter:95.v17a_965e696ee mask-passwords:173.v6a_077a_291eb_5 matrix-auth:3.2.1 matrix-project:818.v7eb_e657db_924 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 metrics:4.2.18-442.v02e107157925 mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ node-iterator-api:49.v58a_8b_35f8363 nodejs:1.6.0 nodelabelparameter:1.12.0 notification:1.17 okhttp-api:4.11.0-157.v6852a_a_fa_ec11 pagerduty:0.7.1 pam-auth:1.10 parallel-test-executor:418.v24f9a_141d726 parameter-separator:87.va_1816d0b_39d1 parameterized-scheduler:1.2 parameterized-trigger:2.46 performance:928.vdea_0dca_55446 periodicbackup:2.0 pipeline-aws:1.43 pipeline-build-step:505.v5f0844d8d126 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:689.veec561a_dee13 pipeline-input-step:477.v339683a_8d55e pipeline-maven:1345.va_0ef5530a_5ca_ pipeline-maven-api:1345.va_0ef5530a_5ca_ pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2144.v077a_d1928a_40 pipeline-model-definition:2.2144.v077a_d1928a_40 pipeline-model-extensions:2.2144.v077a_d1928a_40 pipeline-rest-api:2.33 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40 pipeline-stage-view:2.33 pipeline-utility-steps:2.16.0 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.6.0 pollscm:1.5 popper-api:1.16.1-3 popper2-api:2.11.6-2 prism-api:1.29.0-8 promoted-builds:892.vd6219fc0a_efb publish-to-bitbucket:0.4 pubsub-light:1.17 rake:1.8.0 rebuild:320.v5a_0933a_e7d61 resource-disposer:0.23 run-condition:1.6 saml:4.429.v9a_781a_61f1da_ sbt:81.vb_82499046630 scm-api:676.v886669a_199a_a_ script-security:1275.v23895f409fb_d simple-theme-plugin:160.vb_76454b_67900 slack:664.vc9a_90f8b_c24a_ snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.15 sse-gateway:1.26 ssh:2.6.1 ssh-agent:333.v878b_53c89511 ssh-credentials:308.ve4497b_ccd8f4 ssh-slaves:2.916.vd17b_43357ce4 ssh-steps:2.0.68.va_d21a_12a_6476 sshd:3.312.v1c601b_c83b_0e stashNotifier:1.28 structs:325.vcb_307d2a_2782 swarm:3.40 throttle-concurrents:2.14 timestamper:1.26 token-macro:384.vf35b_f26814ec trilead-api:2.84.v72119de229b_7 uno-choice:2.7 variant:59.vf075fe829ccb warnings-ng:10.4.0 whitesource:21.1.2 workflow-aggregator:596.v8c21c963d92d workflow-api:1283.v99c10937efcb_ workflow-basic-steps:1042.ve7b_140c4a_e0c workflow-cps:3802.vd42b_fcf00b_a_c workflow-durable-task-step:1289.v4d3e7b_01546b_ workflow-job:1326.ve643e00e9220 workflow-multibranch:756.v891d88f2cd46 workflow-remote-loader:1.6 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:865.v43e78cc44e0d ws-cleanup:0.45 xvfb:1.2 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Centos 7

Reproduction steps

Here is my simple pipeline to compare 2 secrets - the first is stored in System Credentials, the second in AWS Secrets:

pipeline { agent any

environment{ localCred = credentials('localSecret') awsCred = credentials('awsSecret') }

stages { stage('Compare Secrets') { steps { sh ''' echo "This is the directory of the secret file $localCred" echo "This is the content of the file cat $localCred" '''

    sh '''
        echo "This is the directory of the secret file $awsCred"
        echo "This is the content of the file `cat $awsCred`"
    '''
  }
}

} }

Expected Results

I expected the values to be printed to the screen for comparison

Actual Results

Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 05ed4db4-fbf3-49d5-930c-a20197c59230 java.lang.NullPointerException at io.jenkins.plugins.credentials.secretsmanager.factory.file.AwsFileCredentials.getContent(AwsFileCredentials.java:40) at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:54) at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:42) at org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding.bindSingle(AbstractOnDiskBinding.java:38) at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:149) at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:132) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Finished: FAILURE

Anything else?

No response

Are you interested in contributing a fix?

No response

daugustus commented 5 months ago

This use-case comes into play when migrating to AWS secrets for credential storage.

chriskilding commented 4 months ago

Could you let me know how you uploaded the file credential to Secrets Manager? Also did you upload it in binary format? (This is very important for the file credential type to work; if you upload the secret as a string, Jenkins can't parse it.)

daugustus commented 4 months ago

Your question about uploading a binary file got me to do some digging. My previous method of configuring Jenkins used custom groovy scripts like this - https://github.com/odavid/my-bloody-jenkins/blob/master/config-handlers/CredsConfig.groovy#L116 - which required me to supply strings only. By using AWS Secrets instead via this plugin, I should use aws secretsmanager create-secret --name "mysecretname" --description "mydescription" --secret-binary fileb:///Path/FileName instead.

I cannot seem to find a simple way to convert a string to a blob using the linux CLI with Java or Javascript. Any suggestions you have on that are appreciated. Unless I can determine that method, I will see about just using string credentials directly which are simpler to troubleshoot and maintain.

Thanks Chris!