The plugin allows you to configure the Secrets Manager client that it uses to access secrets.
We recommend that you use the defaults whenever possible. This will allow Jenkins to inherit AWS configuration from the environment. Only set these client options if you really need to (for example you have multiple Jenkins AWS plugins installed, and need the Secrets Manager plugin to behave differently to the others).
The plugin supports the following AWSCredentialsProvider implementations to authenticate and authorize with Secrets Manager.
Note: This is not the same thing as a Jenkins CredentialsProvider.
Recommendations:
Authorization note: IAM is always present, no matter which authentication mechanism you use. This is because, even if Jenkins is running outside AWS and you use an AWS keypair, the keypair belongs to an IAM user, and AWS must still check that the IAM user is allowed to access Secrets Manager.
This uses the standard AWS credentials lookup chain.
The authentication methods in the chain are:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION before starting Jenkins).aws.accessKeyId, aws.secretKey, and aws.region before starting Jenkins).~/.aws/credentials before starting Jenkins).This allows you to use named AWS profiles from ~/.aws/config.
unclassified:
awsCredentialsProvider:
client:
credentialsProvider:
profile:
profileName: "foobar"
This allows you to specify IAM roles inline within Jenkins.
unclassified:
awsCredentialsProvider:
client:
credentialsProvider:
assumeRole:
roleArn: "arn:aws:iam::111111111111:role/foo"
roleSessionName: "jenkins"
This allows you to specify a static long-lived AWS keypair within Jenkins.
The secretKey value will be stored in Jenkins’ plugin XML configuration, encrypted using hudson.util.Secret. This provides a modicum of security, but not much.
If you use this authentication strategy together with Jenkins CasC, you SHOULD inject the keypair values via CasC secret interpolation. This is to avoid hardcoding the keypair in plain text within your casc.yaml.
unclassified:
awsCredentialsProvider:
client:
credentialsProvider:
static:
accessKey: "${aws-access-key}" # e.g. AKIAIOSFODNN7EXAMPLE
secretKey: "${aws-secret-key}" # e.g. wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
The plugin will use the default AWS client configuration if no overrides are set.
If the Jenkins system-wide HTTP proxy is configured, the plugin will use the Jenkins proxy settings:
jenkins:
proxy:
name: "localhost"
port: 5000
userName: "user"
secretPassword: "fake"
Alternatively you can set the AWS client configuration for the client. This will take precedence over any Jenkins proxy settings that may be present. (This may be useful if you need to apply different HTTP proxy settings just for Secrets Manager.)
unclassified:
awsCredentialsProvider:
client:
clientConfiguration:
proxyHost: "localhost"
proxyPort: 5000
proxyUsername: "user"
proxyPassword: "fake"
You can set the AWS endpoint configuration for the client.
unclassified:
awsCredentialsProvider:
client:
endpointConfiguration:
serviceEndpoint: "http://localhost:4584"
signingRegion: "us-east-1"
You can set the AWS region for the client.
unclassified:
awsCredentialsProvider:
client:
region: "us-east-1"