hashicorp-vault-plugin icon indicating copy to clipboard operation
hashicorp-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Is there a way to get the token that the AppRole Auth generates?

Open SathyaBhat opened this issue 4 years ago • 3 comments

With the Jenkins Pipeline, I am able to auth with Vault using the Approle credentials as shown in the docs

node {
    // define the secrets and the env variables
    // engine version can be defined on secret, job, folder or global.
    // the default is engine version 2 unless otherwise specified globally.
    def secrets = [
        [path: 'secret/testing', engineVersion: 1, secretValues: [
            [envVar: 'testing', vaultKey: 'value_one'],
            [envVar: 'testing_again', vaultKey: 'value_two']]],
        [path: 'secret/another_test', engineVersion: 2, secretValues: [
            [vaultKey: 'another_test']]]
    ]

    // optional configuration, if you do not provide this the next higher configuration
    // (e.g. folder or global) will be used
    def configuration = [vaultUrl: 'http://my-very-other-vault-url.com',
                         vaultCredentialId: 'my-vault-cred-id',
                         engineVersion: 1]
    // inside this block your credentials will be available as env variables
    withVault([configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $testing'
        sh 'echo $testing_again'
        sh 'echo $another_test'
    }
}

Is it possible to use token generated by this and inject it? The goal is that I have some scripts which will write back into Vault and if token generated by the AppRole is available, I can do a vault write or a vault kv put using the token that was generated instead of having to generate a new token by explicitly making use of the role id & secret it

SathyaBhat avatar Feb 22 '21 12:02 SathyaBhat

I have the same need. I need to use that token for vault Terraform plugin to work properly in my pipeline.

I know for instance that the official Vault GitHub action lets you export that token for use in the pipeline. Does the same functionality exist with this plugin?

Moncefmd avatar Feb 23 '21 10:02 Moncefmd

@SathyaBhat try using the credentials binding with your approle credential. It works with more than just Vault token credential objects.

withCredentials([[$class: 'VaultTokenCredentialBinding', credentialsId: 'VAULT_TOKEN', vaultAddr: 'https://vault.dev.com']]) { 
    echo 'My token is $VAULT_TOKEN'
}

paladin-devops avatar Aug 10 '21 04:08 paladin-devops