hashicorp-vault-plugin icon indicating copy to clipboard operation
hashicorp-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Question: How to get all values dynamically

Open RezaRahmati opened this issue 3 years ago • 9 comments

I need to get all the secrets at once dynamically, so actually the values can be added and removed, I am trying to make it dynamic so that I don't need to update cicd pipeline each time

For example I want to get all values under pc-mobile/api/dev/api-env-vars

image

RezaRahmati avatar Mar 23 '21 16:03 RezaRahmati

Not currently supported.

jetersen avatar Mar 23 '21 16:03 jetersen

I'm also interested in this, specifically I was looking at getting all the keys in a secret as JSON the way you can with the CLI tool. Is this something that's blocked by #110?

jamesrobson-secondmind avatar Apr 01 '21 16:04 jamesrobson-secondmind

Consider me a +1 for this as well. Any plans to support this? Is it even possible?

The Vault plugin is great because it allows me to pull secrets from Vault for use in a container running in k8s without having to have the vault CLI installed in that container image (thus bloating it/making it more difficult to manage).

With the Vault CLI, we can read these types of JSON formatted secrets and get the whole JSON block as output. It would be great feature parity if the plugin could do the same, say by omitting the vaultKey from the secret definition (basically saying, "don't give me a particular key, just give me everything in this secret as raw JSON").

medavisjr avatar Sep 15 '21 01:09 medavisjr

It would be handy to have such option.

vvatlin avatar May 05 '22 09:05 vvatlin

I had some ideas how to reimplement hashicorp vault plugin to do something similar to azure keyvault. That is to say Azure Keyvault plugin is a credential provider and will discover secrets in the vault and expose them as Jenkins Credentials.

Sadly hashicorp vault does not offer metadata (attributes/tags/labels) but based on convention in the secret object we could attempt to support different secret objects.

So for instance if USERNAME, PASSWORD is in the secret it would be a usernamepassword secret and etc.

Maybe the Hashicorp vault credentials provider in Jenkins would need to look for a key in the object like JENKINS_SECRET

{
  "JENKINS_SECRET": true,
  "USERNAME": "bob",
  "PASSWORD": "uncle"
}

The provider assumes the credential id is the path secrets/my/path/to-secret to translate to credential id of my-path-to-secret

WDYT @timja ?

jetersen avatar May 05 '22 10:05 jetersen

yeah that could be good, you can also configure the credential provider if you want to setup something like a base path.

Azure Key Vault does this with the metadata approach (tags) but convention would work too

timja avatar May 05 '22 14:05 timja

The Vault Secret File can do this, if you do not set a specific key you will get a file containing the entire secret as json. Although you will probably need to wait until #201 has been fixed for this to be available to you.

jamesrobson-secondmind avatar May 06 '22 09:05 jamesrobson-secondmind

@jamesrobson-secondmind rewriting it to a credential provider would completely avoid this issue in #201

jetersen avatar May 06 '22 10:05 jetersen

I am also interested in this, any plans to have this feature?

allahshukur-ahmadzada avatar Sep 29 '22 04:09 allahshukur-ahmadzada