Jenkins Plugin
The Jenkins plugin adds a build wrapper to set Jenkins environment variables from secrets that are stored within Akeyless. Secrets are masked in the build log, so you can't accidentally print them.
The Jenkins plugin can also inject credentials into a build pipeline or freestyle job for fine-grained vault interactions.
To use the Jenkins plugin, you need to add the Akeyless plugin to Jenkins and enter credentials for authenticating against Akeyless. In this example, we will use an API Key for authentication.
Note
You can use any of the authentication methods supported by Akeyless. Ensure that the authentication method you use is associated with an access role with access to the required secrets.
Configure the Akeyless Plugin in Jenkins
Note
Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here
- Log in to Jenkins and go to Manage Jenkins > Manage Plugins.
- Find and install the Hashicorp Vault plugin.
- From the main Jenkins page, select New Item > Freestyle project, then add a name for the project and select OK.
- In the Build Environment tab, select the Vault Plugin radio button
Then, enter the Akeyless Proxy URL: https://hvp.akeyless.io
Info
If you are using a customer key fragment with your Akeyless Platfrom, set your Vault URL with the Akeyless Gateway on port
8200
.
- To set your Jenkins Vault credentials provider, to the right of the Vault Credentials field, select Add, then select Jenkins.
- In the Add Credentials window, from the Kind dropdown list, select Vault Token Credential, then enter your credentials and select Add.
Info
The Token value is a concatenation of your Access ID and your Access Key in the following format:
< Access ID >..< Access Key >
For example:
p-xxxxxx..accessKey
Note
The Credential Kind you select determines which authentication backend will be used. If you wish to use another Authentication Method, see the different Credential Types supported using the Vault plugin.
Keep in mind you can always use any of the Akeyless authentication methods via the Vault Token File Credential where the temporary token is read from a file on your Jenkins host. You can use this in combination with a script (using the
akeyless auth
CLI command for example) to output a periodically refreshing temporary access token into the file in question.
-
In the Build Environment tab, from the Vault Credential dropdown list, select the new credential, then select Advanced.
-
Add the following information, then select Add a vault secret:
- KV Engine Version: Enter 1.
- Skip SSL verification: Select the checkbox.
Dynamic Secret
To use your Jenkins Plugin to fetch Dynamic Secrets:
The Path should be in the following format: <Dynamic Secret type>/creds/<Full Secret Name>
The returned JSON object will have keys named password
and username
.e.g.
{
"password": "BbDUelj%Z1~UH1YS",
"username": "tmp_ProdDB_p-csdsffer"
}
In this example, we are fetching a dynamic secret named ProdDB using MySQL Dynamic Secrets.
To test the plugin, in Build, click “Execute shell”:
Provide your MySQL server IP, modify the query, etc.
mysql --host <your MySQL server ip> --port 3306 --user=$USER --password=$PASS -e 'show databases;'
exit 0
Click “Apply” and “Save”.
Click “Build Now” and expect to see the following Console Output:
Static Secrets
To work with Static secrets, the Vault Secret Path should be in this format for KV 1:
secret/data/<Full Secret Name>
, where the Key in the returned JSON name is data
.
For example, let's create a secret:
akeyless create-secret -n /DevOps/Jenkins -v 'AkeylessIsGr8'
The Key name should be set to data
and the Path is secret/data/DevOps/Jenkins
.
In case the secret value itself is a JSON-structured object, the Path must be in the following format:
secret/<Full Secret Name>
, without the data/
prefix, you can use the internal JSON keys as the Key names for example, let's create a secret that contains a JSON-structured value:
akeyless create-secret -n /DevOps/JenkinsJson -v '{"username":"john","password":"secret"}'
The Key names can be: username
and password
where the Path is secret/DevOps/JenkinsJson
To work with KV 2 use the following format:
To fetch the secret /DevOps/Jenkins :
The Path is secret/DevOps/Jenkins
, where the Key in the returned JSON name is DevOps/Jenkins
without the /
prefix.
For example, to fetch the secret /DevOps/JenkinsJson :
The Path should be secret/DevOps/JenkinsJson
, and the Key name should be set with the relevant JSON keys.
Updated about 1 year ago