Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56927

Request: EC2 plugin should use SSH keys via credentials plugin

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: In Progress (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: ec2-plugin
    • Labels:
      None
    • Environment:
      EC2 plugin: 1.4.2
      Jenkins: 2.150.3
    • Similar Issues:

      Description

      The Ec2 plugin currently requires that you insert SSH private key manually, so it shows up in the UI, which is a security concern. The EC2 plugin should support the use of the credentials plugin so the SSH private key does not need to be exposed to viewers of the "Configure System" page.

        Attachments

          Issue Links

            Activity

            Hide
            kinnairdm Kinnaird McQuade added a comment -

            FABRIZIO MANFREDI any thoughts on this?

            Show
            kinnairdm Kinnaird McQuade added a comment - FABRIZIO MANFREDI any thoughts on this?
            Hide
            thoulen FABRIZIO MANFREDI added a comment -

            I will put in the backlog for the 1.45, if you have time to provide a pull request for that I will be happy to review it

            Show
            thoulen FABRIZIO MANFREDI added a comment - I will put in the backlog for the 1.45, if you have time to provide a pull request for that I will be happy to review it
            Hide
            jbochenski Jakub Bochenski added a comment -

            Also if you want to use JCasC it will force you to enter the ssh key in plaintext in JCasC yaml

            Show
            jbochenski Jakub Bochenski added a comment - Also if you want to use JCasC it will force you to enter the ssh key in plaintext in JCasC yaml
            Hide
            kinnairdm Kinnaird McQuade added a comment - - edited

            FABRIZIO MANFREDI - any updates on this? This is a pretty serious security issue.

            Jakub Bochenski - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach:

            • Terraform generates the SSH key
            • JCasC is in a templates/jcasc.yml file
            • Terraform uses the `template_file` data source to inject parameters into the template file
            • Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions
            • aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket.
            • We used [my-bloody-jenkins](https://github.com/odavid/my-bloody-jenkins) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch.
              • Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads.

            It's a sound workaround, but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP.

            Show
            kinnairdm Kinnaird McQuade added a comment - - edited FABRIZIO MANFREDI  - any updates on this? This is a pretty serious security issue. Jakub Bochenski  - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach: Terraform generates the SSH key JCasC is in a templates/jcasc.yml file Terraform uses the `template_file` data source to inject parameters into the template file Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket. We used [my-bloody-jenkins] ( https://github.com/odavid/my-bloody-jenkins ) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch. Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads. It's a sound workaround, but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP.
            Hide
            kinnairdm Kinnaird McQuade added a comment -

            I don't have the expertise to make this kind of modifications, unfortunately. Also don't have the time to do it.

            Show
            kinnairdm Kinnaird McQuade added a comment - I don't have the expertise to make this kind of modifications, unfortunately. Also don't have the time to do it.
            Hide
            jbochenski Jakub Bochenski added a comment -

            Kinnaird McQuade thanks for sharing your workaround. I think you'll agree that having credentials plugin support would make be better than jumping all those hoops?

            Show
            jbochenski Jakub Bochenski added a comment - Kinnaird McQuade thanks for sharing your workaround. I think you'll agree that having credentials plugin support would make be better than jumping all those hoops?
            Hide
            thoulen FABRIZIO MANFREDI added a comment -

            With the new release the private key is no longer visible. For the integration with secret manager i don't have an ETA

            Show
            thoulen FABRIZIO MANFREDI added a comment - With the new release the private key is no longer visible. For the integration with secret manager i don't have an ETA

              People

              • Assignee:
                thoulen FABRIZIO MANFREDI
                Reporter:
                kinnairdm Kinnaird McQuade
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: