hashicorp-vault-plugin icon indicating copy to clipboard operation
hashicorp-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Segment permissions for jobs by giving them only specific policies

Open bluesliverx opened this issue 2 years ago • 0 comments

What feature do you want to see added?

We run a somewhat large Jenkins cluster with 1k+ jobs configured on it. We currently use token auth, but would like to move to an AppRole instead. Currently we have a single policy in Vault for all of our jobs so that Jenkins just has access to a ton of "stuff", usually where a single job only needs a secret or two and that's it. We want the ability to segment our policies so that jobs have the principle of least privilege.

Something that we've seen in orchestrator type platforms (i.e. salt) is the ability to auth with an approle and then hand only specific policies to minions. This could be implemented in the Vault Jenkins plugin by allowing us to define policies given to jobs with the ability to template the policy given to the job with things like "folder name", "job name" (full name), etc.

An example of a policy list may be:

  • my-policies/policy-common
  • my-policies/policy-{job_folder}
  • my-policies/policy-{job_name}

I know this is possible with Vault since Salt does it already, so it would just be implementing a simple pattern to replicate it in this plugin. Backwards compatibility would be maintained by assigning all policies to tokens generated by the approle when no policies were specified for jobs. Thus they would "inherit" all policies assigned to the approle.

Upstream changes

None

bluesliverx avatar Mar 23 '22 19:03 bluesliverx