How to integrate with AWS dynamic secrets?

[Subhasis180689]

Hello,

We are trying to configure Jenkins vault URL and credentials with AWS dynamic secrets. This seems to be working with approle but we are not sure how to configure with AWS. Need to understand how we actually generate the aws secret dynamically with jenkins vault plugin. Any code reference would be helpful

Version report Jenkins and plugins versions report:

[copoka5]

Hello. AWS dynamically secrets are an important part of CI/CD. Please help me to understand how can I use it?

[Subhasis180689]

Just found an alternative https://subhasisray.medium.com/vault-integration-with-jenkins-and-aws-authentication-da68a084e36c

[muroj]

I was struggling with the same: accessing aws backend to dynamically generate IAM credentials. I was able to get it working in my pipeline using the following:

stage('Vault-Test') {
steps {
    withVault(
      configuration: [
          timeout: 60, 
          engineVersion: 1, 
          vaultCredentialId: 'my-approle', vaultUrl: 'https://my-vault.net'], 
          vaultSecrets: [
          [
              path: 'aws/creds/my-iam-role', 
              secretValues: [
                  [envVar: 'AWS_SECRET_ACCESS_KEY', vaultKey: 'secret_key'], 
                  [envVar: 'AWS_ACCESS_KEY_ID', vaultKey: 'access_key'],
                  [envVar: 'AWS_SESSION_TOKEN', vaultKey: 'security_token']
              ]
          ]
      ]) {
              script {
                  sh '''
                    aws sts get-caller-identity
                  '''
              }
          }
      } // end steps
} // end stage

In my case, the key was setting engineVersion: 1. The plugin was assuming the secret was a KV, and was prefixing the secret path with data, i.e. aws/data/creds/my-role. See the vault doc for the differences between v1 and v2.

[kino505]

@muroj Excellent! Good job! Thank You so much! It is work. You are genius!