Jenkins Plugin

Suggest Edits

The Jenkins plugin adds a build wrapper to set Jenkins environment variables from an Akeyless Vault secret. The secrets are masked in the build log, so you can't accidentally print them.

The Jenkins plugin can also inject vault credentials into a build pipeline or freestyle job for fine-grained vault interactions.

To use the Jenkins plugin, you need to add the Akeyless Vault plugin to Jenkins and enter credentials for authenticating against Akeyless Vault. In this example, we will use an API Key for authentication.

👍

Note

You can use any of the authentication methods supported by Akeyless. Ensure that the authentication method you use is associated with an access role with access to the required secrets.

Configure the Akeyless Vault Plugin in Jenkins

👍

Note

Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here

  1. Log in to Jenkins and go to Manage Jenkins > Manage Plugins.
1600
  1. Find and install the Hashicorp Vault plugin.
1590
  1. From the main Jenkins page, select New Item > Freestyle project, then add a name for the project and select OK.
891
  1. In the Build Environment tab, select the Vault Plugin radio button
    Then, enter the Akeyless Vault Proxy URL: https://hvp.akeyless.io

📘

Info

If you are using a customer key fragment with your Akeyless Vault, enter your Vault URL as configured on the Akeyless Gateway using the HVP port/service.

1678
  1. To set your Jenkins Vault credentials provider, to the right of the Vault Credentials field, select Add, then select Jenkins.
1562
  1. In the Add Credentials window, from the Kind dropdown list, select Vault Token Credential, then enter your credentials and select Add.

📘

Info

The Token value is a concatenation of your Access ID and your Access Key in the following format:
< Access ID >..< Access Key >

For example:p-jjdbbkbd..njRThf894chsBXnuh

👍

Note

The Credential Kind you select determines which authentication backend will be used. If you wish to use another Authentication Method, see the different Credential Types supported using the Vault plugin.

Keep in mind you can always use any of the Akeyless authentication methods via the Vault Token File Credential where the temporary token is read from a file on your Jenkins host. You can use this in combination with a script (using the akeyless auth CLI command for example) to output a periodically refreshing temporary access token into the file in question.

  1. In the Build Environment tab, from the Vault Credential dropdown list, select the new credential, then select Advanced.

  2. Add the following information, then select Add a vault secret:

    • KV Engine Version: Enter 1.
    • Skip SSL verification: Select the checkbox.
1432

Dynamic Secret

To use your Jenkins Plugin to fetch Dynamic Secrets:

The Path should be in the following format: <Dynamic Secret type>/creds/<Full Secret Name>

The returned JSON object will have keys named password and username.e.g. 

{
  "password": "BbDUelj%Z1~UH1YS",
  "username": "tmp_ProdDB_p-csdsffer"
}

In this example, we are fetching a dynamic secret named ProdDB using MySQL Dynamic Secrets.

To test the plugin, in Build, click “Execute shell”:

Provide your MySQL server IP, and modify the query etc.

mysql --host <your MySQL server ip>  --port 3306 --user=$USER --password=$PASS -e 'show databases;'
exit 0

Click “Apply” and “Save”.
Click “Build Now” and expect to see the following Console Output:

Static Secrets

To work with Static secrets, the Vault Secret Path should be in this format for KV 1:

secret/data/<Full Secret Name>, where the Key in the returned JSON name is data.

For example, let's create a secret:

akeyless create-secret -n /DevOps/Jenkins -v 'AkeylessIsGr8'

The Key name should be set to data and the Path is secret/data/DevOps/Jenkins.

In case the secret value itself is a JSON-structured object, the Path must be in the following format:

secret/<Full Secret Name>, without the data/ prefix, you can use the internal JSON keys as the Key names for example, let's create a secret that contains a JSON-structured value:

akeyless create-secret -n /DevOps/JenkinsJson -v '{"username":"john","password":"secret"}'

The Key names can be: username and password where the Path is secret/DevOps/JenkinsJson

To work with KV 2 use the following format:

To fetch the secret /DevOps/Jenkins :

The Path is secret/DevOps/Jenkins, where the Key in the returned JSON name is DevOps/Jenkins without the / prefix.

For example, to fetch the secret /DevOps/JenkinsJson :

The Path should be secret/DevOps/JenkinsJson, and the Key name should be set with the relevant JSON keys.

Updated about 2 months ago