Hi Jenkins users, Me and a colleague are trying to make our Jenkins infrastructure nice and config-as-code-y and reproducible, and it works nicely except that we haven't yet found a good way to store and obfuscate credentials.
Here's what we're currently doing: 1. Store all initial config using the Configuration-as-Code plugin (https://github.com/jenkinsci/configuration-as-code-plugin) 2. Store credentials in AWS SSM Parameter Store using the CasC SSM plugin, loading them using an instance profile (https://github.com/jenkinsci/configuration-as-code-secret-ssm-plugin) 3. Load all jobs from seed job DSL on first boot That way, it's easy to replace the Jenkins host for patching, and doing that on a regular basis makes sure that all CI jobs and config go through a pull request process by cleaning house on a regular basis :) The problem with this is that AWS Parameter Store only supports storing string type parameters, and I can't find a smart way to turn SSM strings into files or other credential objects in the configuration as code plugin. In theory storing SSH keys/Ansible vault passphrases and similar as strings should be OK, as you could just write the secure string into a file in a shell step in a job. But in reality, while the logic that redacts credentials works nicely for short strings, it seems to be happy to print the value of the key out when I do `echo $SSH_KEY > file.txt`. Does anyone know how that redaction gets evaluated? It says in the log "Masking only exact matches of $SECRET or $SSH_KEY". My guess is that line breaks/text wrapping is throwing it off. Which is fair enough, since there's a perfectly good SSH credential type! If anyone has ideas about - a way to make sure the long secret text value gets redacted - a way to manage to load AWS SSM Parameter Store SecureStrings as something other than text type Jenkins credentials - or another credential that integrates with the Config-as-Code plugin I'd appreciate it. Thanks for reading - have a good weekend! Nikki -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ba67d0e-b217-4196-bde9-900b3df33d11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
