Chris Kilding

The way the plugin works at the moment is loosely like this: 1. At startup a Future is created which knows how to retrieve the credentials using ListSecrets. 2. This...

Just posting the first part of the solution in here. **Comments and suggestions welcome!** My idea is to introduce a concept of **namespaces** to the credentials API plugin, to represent...

For part 2 we can revisit the config schema that was used for the `clients` beta feature: ```yaml unclassified: awsCredentialsProvider: clients: - credentialsProvider: assumeRole: roleArn: "arn:aws:iam::111111111111:role/foo" roleSessionName: "jenkins" - credentialsProvider:...

The basic idea will be to wrap the credentials with the CredentialsWrapper proxy class. This includes the magic ingredient ```java public String getUrlName() { return Util.rawEncode(id); } ``` Which urlencodes...

Just to check I understand the surrounding context right... - Your company has 1 big AWS account for all teams - All teams' secrets are in that account's Secrets Manager...

Also, are the teams able to edit resources in the AWS account besides the locked-down K8S clusters (i.e. can they put their own secrets in Secrets Manager), or does some...

Ok, the first thing to find out is whether you can use AWS profiles to let the Jenkins box hop into the alternate account for Secrets Manager access; if this...

I'm planning to restore a part of the beta `clients` feature which should do what you need. This would expose a `client:` option in the config that would allow you...

The secretAccessKey can be modelled as a Secret rather than a String in the Jenkins model. This ensures that when it's serialised to Jenkins config XML the value will not...

These difficulties are to be expected though: solving the credential bootstrapping problem in Jenkins is hard! Even CasC secrets interpolation just kicks the problem one step further down the road;...