Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37713

Support reading Vault Token from file on disk

    Details

    • Similar Issues:

      Description

      Configuring a static Vault token in Jenkins is a relatively major violation of Vault's security model, which relies on finite-lived tokens and authentication. It also relies on the authentication process to limit token use (such as by CIDR block or timeframe).

      Using static tokens means that anyone who can somehow read that token from Jenkins configuration and use it outside of Jenkins. A trivial example of this is that anyone with access to the Script Console can simply run:

      def desc = Jenkins.instance.getDescriptor("com.datapipe.jenkins.vault.VaultBuildWrapper")
      println(desc.authToken)
      

      And see the plaintext token.

      I'd like to recommend an alternative:

      1. A second configuration option for "Vault Token File", that points to a path on disk (either absolute or, easier, within JENKINS_HOME) that contains the token to use for Vault.
      2. Every time the Build Wrapper is run in a job, the contents of that file is read from disk, stripped of whitespace, and used as the token.

      A sidecar process (anything else running on the server) is responsible for writing that file. Since it's read as part of every build process, this makes it simple (both overall, and from the plugin's perspective, since all it needs to do is read the file) to have any other process on the system authenticate to Vault and write short-lived tokens (i.e. 1-5 minute lifetime) to that file.

      Especially given how Vault's authentication methods are changing, how many there already are, and how complicated some of them can be, this allows the user to manage the out-of-band token provisioning mechanism, while still maintaining the possibility of having short-lived tokens.

        Attachments

          Activity

          Hide
          ptierno Peter Tierno added a comment -

          Jason Antman I agree with your thoughts on this and will be adding this in the next release.

          Show
          ptierno Peter Tierno added a comment - Jason Antman I agree with your thoughts on this and will be adding this in the next release.
          Hide
          tobilarscheid Tobias Larscheid added a comment -

          Support was added with this PR: https://github.com/jenkinsci/hashicorp-vault-plugin/pull/5

          should be released soon

          Show
          tobilarscheid Tobias Larscheid added a comment - Support was added with this PR: https://github.com/jenkinsci/hashicorp-vault-plugin/pull/5 should be released soon
          Hide
          ptierno Peter Tierno added a comment -

          This is released in 1.4, allow some time for it to update in the update center.

          Show
          ptierno Peter Tierno added a comment - This is released in 1.4, allow some time for it to update in the update center.

            People

            • Assignee:
              ptierno Peter Tierno
              Reporter:
              jantman Jason Antman
            • Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: