{jenkins-plugin-info:hashicorp-vault-plugin}

This plugin adds a build wrapper to set environment variables from a HashiCorp Vault secret. Secrets are generally masked in the build log, so you can't accidentally print them.

Migration Guide

Upgrade from 1.x to 2.0

The BuildWrapper did not change, so no changes to your Jenkinsfile should be necessary. However, you need to reconfigure Vault in your Jenkins instance based on the instructions above. There is no way to smoothly upgrade this, because this is a major rewrite and handling of configuration completely changed.

Vault Authentication Backends

This plugin allows authenticating against Vault using the AppRole authentication backend. Hashicorp recommends using AppRole for Servers / automated workflows (like Jenkins) and using Tokens (default mechanism, Github Token, ...) for every developer's machine. Furthermore, this plugin allows using a Github personal access token, or a Vault Token - either configured directly in Jenkins or read from an arbitrary file on the Jenkins Machine.

How does AppRole work?

In short: you register an approle auth backend using a self-chosen name (e.g. Jenkins). This approle is identified by a `role-id` and secured with a `secret_id`. If you have both of those values you can ask Vault for a token that can be used to access vault.
When registering the approle backend you can set a couple of different parameters:

This is just a short introduction, please refer to HashiCorp itself to get detailed information.

What about other backends?

Hashicorp explicitly recommends the AppRole Backend for machine-to-machine authentication. Token based auth is mainly supported for backwards compatibility.
Another backend that might make much sense is the AWS EC2 backend, but we do not support it yet. Feel free to contribute!

Implementing additional authentication backends is actually quite easy:

Simply provide a class implementing VaultTokenCredential that contains a Descriptor extending BaseStandardCredentialsDescriptor.
The Descriptor needs to be annotated with @Extension. Your credential needs to know how to authenticate with Vault and provide an authenticated Vault session.

See VaultAppRoleCredential.java for an example.

Plugin Usage

Configuration

You can configure the plugin on three different levels:

The lower the level the higher its priority, meaning: if you configure a URL in your global settings, but override it in your particular job, this URL will be used for communicating with Vault.

In your configuration (may it be global, folder or job) you see the following screen:

The credential you provide determines what authentication backend will be used.
Currently, there are three different Credential Types you can use:

Vault App Role Credential

You enter your role-id and secret-id there. The description helps to find your credential later, the id is not mandatory (a UUID is generated by default), but it helps to set it if you want to use your credential inside the Jenkinsfile.

Vault Token Credential

Directly specify a token to be used when authenticating with vault.

Vault Token File Credential

Basically the same as the Vault Token Credential, just that the token is read from a file on your Jenkins Machine.
You can use this in combination with a script that periodically refreshes your token.

Usage in FreeStyle Jobs

If you still use free style jobs (hint: you should consider migrating to Jenkinsfile), you can configure both configuration and the secrets you need on the job level.

The secrets are available as environment variables then.

Usage via Jenkinsfile

With version 2.3.0, we added a "withVault" symbol and made "envVar" optional as shown in the second secretValue with "another_test" will use the vaultKey as the envVar.

node {
    // define the secrets and the env variables
    def secrets = [
        [path: 'secret/testing', secretValues: [
            [envVar: 'testing', vaultKey: 'value_one'],
            [envVar: 'testing_again', vaultKey: 'value_two']]],
        [path: 'secret/another_test', secretValues: [
            [vaultKey: 'another_test']]]
    ]

    // optional configuration, if you do not provide this the next higher configuration
    // (e.g. folder or global) will be used
    def configuration = [vaultUrl: 'http://my-very-other-vault-url.com',
                         vaultCredentialId: 'my-vault-cred-id']
    // inside this block your credentials will be available as env variables
    withVault([configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $testing'
        sh 'echo $testing_again'
        sh 'echo $another_test'
    }
}

Before version 2.2.0 and below:

node {
    // define the secrets and the env variables
    def secrets = [
        [$class: 'VaultSecret', path: 'secret/testing', secretValues: [
            [$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
            [$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
        [$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
            [$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'another_test']]]
    ]

    // optional configuration, if you do not provide this the next higher configuration
    // (e.g. folder or global) will be used
    def configuration = [$class: 'VaultConfiguration',
                         vaultUrl: 'http://my-very-other-vault-url.com',
                         vaultCredentialId: 'my-vault-cred-id']
    // inside this block your credentials will be available as env variables
    wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $testing'
        sh 'echo $testing_again'
        sh 'echo $another_test'
    }
}


In the future we might migrate to a BuildStep instead of a BuildWrapper.

CHANGELOG

Change log moved to Github releases

TODO