You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have enabled all required auth, secret engines and policies on the Vault side.
I have configured a test VaultSSHUsernamePassword credential to try and fetch from vault (a secret I have previously created on vault)
I am using the 'Test Vault Secrets Retrieval' button to test it and am getting this error:
FAILED to retrieve username key:
com.datapipe.jenkins.vault.exception.VaultPluginException: Key username could not be found in path kv/test
I have tried to fetch the credential via a pipeline job but am getting 'Access Denied' error.
The only way I got this to work was to access the vaultAWSCredential credential via the Jenkins UI re-save the form (without changing anything), from that point all secret fetching started to work.
I then re-cycled the vault container and again the errors appeared, I then proceeded to re-save the form again and everything started working, I repeated this several times and have confirmed that this is the only change I made to make this work.
I also started the Vault container with debug logs and it seems that until I re-save the form, and trying to fetch secrets no logs are written on the Vault side in regards to secret fetching, when I re-save the form and try to fetch secrets I do see logs relating to auth:
auth.aws.auth_aws_d6a5be79: submitting caller identity request: endpoint=https://sts.amazonaws.com
identity: creating a new entity...
Another change I noticed is that when trying to fetch secrets before re-saving the form, the Jenkins log shows the following:
com.datapipe.jenkins.vault.credentials.common.VaultHelper getVaultSecret
Retrieving vault secret path=kv/test engineVersion=2
com.datapipe.jenkins.vault.credentials.common.VaultHelper retrieveVaultCredentials
Retrieving vault credential ID : vaultAWSCredential
com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredentialWithExpiration
Expiration for is java.util.GregorianCalendar ....
com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredentialWithExpiration
Auth token is still valid for policies ''
But when re-saving the form and fetching secrets the logs read as:
jonkipu
changed the title
Plugin auth using AWS IAM doesn't work unless I re-save the Jenkins Credential
Plugin auth using AWS IAM doesn't work unless I re-save the Jenkins Credential form in the Jenkins UI
May 16, 2024
Added some debug logs to the plugin and rebuilt it, seems that this stems from the plugin caching its auth token with Vault, when restarting vault to test I guess the token was still cached (although I saw no logs in Vault to match this), when updating the credentials I guess it must have reset the token's expiry and generated a new token
Jenkins and plugins versions report
Environment
What Operating System are you using (both controller, and any agents involved in the problem)?
Only controller is involved, running Alpine Linux
Reproduction steps
I'm using AWS IAM auth to auth to my Vault instance (non-cluster)
Using CasC to configure the plugin and credential for it:
I have enabled all required auth, secret engines and policies on the Vault side.
I have configured a test VaultSSHUsernamePassword credential to try and fetch from vault (a secret I have previously created on vault)
I am using the 'Test Vault Secrets Retrieval' button to test it and am getting this error:
I have tried to fetch the credential via a pipeline job but am getting 'Access Denied' error.
The only way I got this to work was to access the vaultAWSCredential credential via the Jenkins UI re-save the form (without changing anything), from that point all secret fetching started to work.
I then re-cycled the vault container and again the errors appeared, I then proceeded to re-save the form again and everything started working, I repeated this several times and have confirmed that this is the only change I made to make this work.
I also started the Vault container with debug logs and it seems that until I re-save the form, and trying to fetch secrets no logs are written on the Vault side in regards to secret fetching, when I re-save the form and try to fetch secrets I do see logs relating to auth:
Another change I noticed is that when trying to fetch secrets before re-saving the form, the Jenkins log shows the following:
But when re-saving the form and fetching secrets the logs read as:
Expected Results
Secret fetching should work out of the box
Actual Results
Errors about secret not being found at path or access denied
Anything else?
No response
Are you interested in contributing a fix?
No response
The text was updated successfully, but these errors were encountered: