search

jenkinsci / azure-keyvault-plugin

Jenkins plugin for Azure Keyvault
https://plugins.jenkins.io/azure-keyvault/
MIT License
15 stars 21 forks source link

Jenkins cannot find Azure keyvault credential when configuring pipeline stored in GIT SCM #42

Closed jaheikki closed 4 years ago

jaheikki commented 4 years ago

Your checklist for this issue

Description

Configuring plugin and using one Azure key vault secret inside pipeline was successful. However, cannot select GIT credentials (originated from Azure keyvault) from Pipeline/Pipeline script from SCM section in build configuration in Jenkins UI. Also tried with 'Pipeline script' (see below). Jenkins cannot find the 'credentialsId' with name 'git-keyvault-secret' (that is configured in Azure keyvault secret as username:password form). Is this a problem or a feature? 

node ('my-slave') {
  dir("my-dir") {
    checkout(
        poll: true,
        changelog: true,
        scm: [
            $class: 'GitSCM', branches: [[name: 'my-branch']],
            userRemoteConfigs: [[
                url: " https://gitlab.mycompany.com/Project/repo.git",
                credentialsId: 'git-keyvault-secret']]])
  }
}
timja commented 4 years ago

can you see the secret on the credentials page?

can you access that secret with withCredentials ?

jaheikki commented 4 years ago

Yes I can see the secret in Credentials page as 'Azure key vault' credentials.

I cannot access that secret with 'withCredentials' but I can access (similar secret) with 'withAzureKeyvault' like this: def secrets = [ [ secretType: 'Secret', name: 'artifactory-creds', envVariable: 'ARTIFCREDS' ], ] withAzureKeyvault(secrets) { sh "echo ARTIFCREDS: $ARTIFCREDS"

timja commented 4 years ago

why don't you try access the same secret? btw can you use code formatting please three backticks to start and close `

https://help.github.com/en/github/writing-on-github/creating-and-highlighting-code-blocks

jaheikki commented 4 years ago

Well that secret was not available at that moment (due to fact that cannot run SCM pipeline without working GIT credentials and local creds cannot have the same id than creds in keyvault...).

I just verified that the same secret works from pipeline by 'withAzureKeyvault'.

But the problem remains the same, cannot use keyvault credential when trying to configure the Pipeline SCM section in UI, the 'Credentials' drop down menu does not contain any selectable values even though there are Azure key vault credentials visible in Credentials page. And the same happens without UI (credentialsId: 'git-keyvault-secret'). Just get this to console.log: "Warning: CredentialId "git-keyvault-secret" could not be found."

I wonder could this be issue with different plugins used. Could it be like that the Pipeline plugin cannot get credentials any other origin that credentials-binding-plugin ('withCredentials')...

timja commented 4 years ago

Possibly the plugin isn't looking up the credential provider properly, I'll take a look

timja commented 4 years ago

Ah I think it's because the git plugin only supports username/password credentials, but this plugin can only pull out secret text directly.

jaheikki commented 4 years ago

Ok. I tried to save keyvault secret in 'username:password' format (don't know if it's relevant or not): https://jenkins.io/doc/book/using/using-credentials/

Clip from 'using-credentials' page: Jenkins can store the following types of credentials: Secret text - a token such as an API token (e.g. a GitHub personal access token), Username and password - which could be handled as separate components or as a colon separated string in the format username:password (read more about this in Handling credentials)...

So there's nothing you can do for azure-keyvault-plugin to fix this?

timja commented 4 years ago

Ok. I tried to save keyvault secret in 'username:password' format (don't know if it's relevant or not): jenkins.io/doc/book/using/using-credentials

Clip from 'using-credentials' page: Jenkins can store the following types of credentials: Secret text - a token such as an API token (e.g. a GitHub personal access token), Username and password - which could be handled as separate components or as a colon separated string in the format username:password (read more about this in Handling credentials)...

So there's nothing you can do for azure-keyvault-plugin to fix this?

Not currently but I've created an issue for it: https://github.com/jenkinsci/azure-keyvault-plugin/issues/44

This would allow you to work around it by using the configuration-as-code plugin to load the secrets from key-vault https://github.com/jenkinsci/azure-keyvault-plugin/issues/43

jaheikki commented 4 years ago

Many thanks for your quick responses/actions!

About the workaround #43. Is it usable now? And does it allow usage of Azure keyvault?

I think #43 does not solve the issue related to configuring password/username type of GIT credential in UI (Pipeline script from SCM), right?

timja commented 4 years ago

43 has an open pull request and it will make it work by allowing to create a credential using the configuration-as-code plugin, note for setting it up from scratch you would need https://github.com/jenkinsci/azure-keyvault-plugin/issues/38 which I’m currently working on

jaheikki commented 4 years ago

Thanks, I'll stay tuned to the related PRs.

timja commented 4 years ago

Closing in favour of: https://github.com/jenkinsci/azure-keyvault-plugin/issues/44

This can be worked around with a combination of the configuration-as-code plugin and the SecretSource support added in https://github.com/jenkinsci/azure-keyvault-plugin/pull/45