Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60695

"Filter by AWS secret namespace ID" not working

    Details

    • Similar Issues:

      Description

      I created credentials like this: 

      aws secretsmanager create-secret --name 'jks/DB_USER_XXXXX' --secret-string 'zzzzzz' --tags 'Key=jenkins:credentials:username,Value=uuuuu' --description 'dddddddd'   

      Then I used the documented policy template: https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/blob/master/docs/iam/secret-namespace-id.json to filter credentials by a namespace. 

      My complete policy looked like this:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": "secretsmanager:GetSecretValue",
                  "Resource": "arn:aws:secretsmanager:::secret:jks/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "secretsmanager:ListSecrets",
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      } 

      unfortunate this ends up in this error:

      com.cloudbees.plugins.credentials.CredentialsUnavailableException: Property 'secret' is currently unavailable, reason: Could not retrieve the credential jks/DB_USER_XXXXX from AWS Secrets Manager
      	at io.jenkins.plugins.credentials.secretsmanager.RealAwsCredentials.getSecretValue(RealAwsCredentials.java:44)
      	at io.jenkins.plugins.credentials.secretsmanager.AwsCredentials.getSecretString(AwsCredentials.java:127)
      	at io.jenkins.plugins.credentials.secretsmanager.AwsCredentials.getPassword(AwsCredentials.java:70)
      	at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:78)
      	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:135) 

       

      When setting the `"Resource": "*"` for `secretsmanager:GetSecretValue` too, then it works, but the namespace filter does not work.

       

       

        Attachments

          Issue Links

            Activity

            Hide
            chriskilding Chris Kilding added a comment -

            We don't use this feature ourselves (yet) but it was in the AWS documentation, and might be relevant to some plugin users, so I thought I'd better mention it in the README.

            It's quite possible that the ARN filter is not in the right format. Would you be able to toy with it in the AWS CLI and find a filter pattern that does work? Then we could fix the example.

            Have a look at the AWS docs for inspiration: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html 

            Show
            chriskilding Chris Kilding added a comment - We don't use this feature ourselves (yet) but it was in the AWS documentation, and might be relevant to some plugin users, so I thought I'd better mention it in the README. It's quite possible that the ARN filter is not in the right format. Would you be able to toy with it in the AWS CLI and find a filter pattern that does work? Then we could fix the example. Have a look at the AWS docs for inspiration: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html  
            Hide
            chriskilding Chris Kilding added a comment -

            Started work in GitHub PR #20

            Show
            chriskilding Chris Kilding added a comment - Started work in GitHub PR #20

              People

              • Assignee:
                chriskilding Chris Kilding
                Reporter:
                imod Dominik Bartholdi
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: