aws-secrets-manager-credentials-provider-plugin
aws-secrets-manager-credentials-provider-plugin copied to clipboard
Published
20 hours ago •
jenkinsci
jenkinsci
Support AWS Systems Manager Parameter Store
Allow Jenkins to look up credentials in AWS Parameter Store. (They will be stored as Secure String parameters https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-securestring.html).
Moved from JENKINS-60132
Rationale
- Storing credentials in Parameter Store can be cheaper than storing them in Secrets Manager.
- TODO anything else?
Questions
- Does this belong in its own project/plugin or is there opportunity for code reuse as part of aws-secrets-manager-credentials-provider-plugin?
Constraints
- Jenkins should be able to source credentials from both Secrets Manager and Parameter Store. (Using one should not rule out using the other.)
- If Jenkins encounters an error looking up secrets in one of the services, this should not impede lookups in the other. (An exception from a Secrets Manager API call should not break secret resolution in Parameter Store if PS is still functioning.)
- Tag naming conventions should be shared in both PS and SM. (Eg a username tag should be called jenkins:credentials:username in PS, just like it is in SM today.)
Comparison of services
| Feature | Secrets Manager | Standard Parameter | Advanced Parameter |
|---|---|---|---|
| Max Size | 10.24kb | 4kb | 8kb |
| Monthly cost per secret | $0.40 | Free | $0.05 |
| IAM per-secret policy | Yes | No | Yes |
| Max API calls per sec (retrieval) | 1,500 ($) | 40 (free)1,000 ($) | 40 ($)1,000 ($) |
| Max num secrets | 40,000 | 10,000 | 100,000 |
| String secrets | Yes | Yes | Yes |
| Binary secrets | Yes | No | No |
