Hi Jenkins users, Me and a colleague are trying to make our Jenkins infrastructure nice and config-as-code-y and reproducible, and it works nicely except that we haven't yet found a good way to store and obfuscate credentials.
Here's what we're currently doing: 1. Store all initial config using the Configuration-as-Code plugin (https://github.com/jenkinsci/configuration-as-code-plugin) 2. Store credentials in AWS SSM Parameter Store using the CasC SSM plugin, loading them using an instance profile (https://github.com/jenkinsci/configuration-as-code-secret-ssm-plugin) 3. Load all jobs from seed job DSL on first boot That way, it's easy to replace the Jenkins host for patching, and doing that on a regular basis makes sure that all CI jobs and config go through a pull request process by cleaning house on a regular basis :) The problem with this is that AWS Parameter Store only supports storing string type parameters, and I can't find a smart way to turn SSM strings into files or other credential objects in the configuration as code plugin. In theory storing SSH keys/Ansible vault passphrases and similar as strings should be OK, as you could just write the secure string into a file in a shell step in a job. But in reality, while the logic that redacts credentials works nicely for short strings, it seems to be happy to print the value of the key out when I do `echo $SSH_KEY > file.txt`. Does anyone know how that redaction gets evaluated? It says in the log "Masking only exact matches of $SECRET or $SSH_KEY". My guess is that line breaks/text wrapping is throwing it off. Which is fair enough, since there's a perfectly good SSH credential type! If anyone has ideas about - a way to make sure the long secret text value gets redacted - a way to manage to load AWS SSM Parameter Store SecureStrings as something other than text type Jenkins credentials - or another credential that integrates with the Config-as-Code plugin I'd appreciate it. Thanks for reading - have a good weekend! Nikki -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ba67d0e-b217-4196-bde9-900b3df33d11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
