aws-secrets-manager-credentials-provider-plugin icon indicating copy to clipboard operation
aws-secrets-manager-credentials-provider-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Support defining file credentials as SecretString

Open sebhopley opened this issue 4 years ago • 4 comments

Hi, I am proposing this change to resolve issue 131.

This changes allows someone to set a SecretString (in UTF8) as the secret file content instead of a SecretBinary.

I've provided a test for this, please let me know if you need additional testing.

Seb

  • [x] Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • [x] Ensure that the pull request title represents the desired changelog entry
  • [x] Please describe what you did
  • [x] Link to relevant issues in GitHub or Jira
  • [x] Link to relevant pull requests, esp. upstream and downstream changes
  • [x] Ensure you have provided tests - that demonstrates feature works or fixes the issue

sebhopley avatar Nov 01 '21 14:11 sebhopley

An update: I would like the dual string-or-secretbytes supplier in CredentialFactory to be used only with the Secret File type, as the other credential types don't need this behaviour. The implementation currently enables this behaviour for all credential types. Would you be able to create a separate StringOrSecretBytesSupplier inner static class within CredentialFactory that implements this behaviour, and pass it to the constructor of AwsFileCredentials?

chriskilding avatar Dec 14 '21 17:12 chriskilding

Hi, sorry for the late response, yeah I'll make that change

sebhopley avatar Jan 04 '22 15:01 sebhopley

So I went and looked at the code again, for both cases where SecretBytesSupplier is used we are hoping to use string secrets (in a similar way to the ssh key secret). Going to the conversation in the linked issue https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/issues/131 I feel like the suggestion there to catch a failure to use UTF8 encoding and throw a descriptive error seems better than blanket not allowing this. Also as talked about, enforcing using the command line can be problematic (and means a user needs access keys) vs using the aws console.

Open to suggestions on what you would like to see to go forward with the change.

sebhopley avatar Jan 05 '22 13:01 sebhopley

By both cases, do you mean the Certificate credentials type as well? As far as I know the certificate's keystore is supplied by a PKCS#12 (.p12) file, which is exclusively a binary file format.

chriskilding avatar Jan 11 '22 10:01 chriskilding