Configure Jenkins AWS Secrets Manager Credentials Provider Plugin to Work with Moto Standalone Server
The AWS Secrets Manager Credentials Provider Plugin (SM Plugin) for Jenkins provides the option of specifying a custom service endpoint address . This allows credentials to be sourced from mock AWS services, such as moto server, during local testing of pipelines.
In this post, Docker Compose is used to a create local networked Jenkins/Moto stack with examples outlining how to configure the plugin and store/access a secret.
Running a Local Jenkins/Moto Server Stack using Docker Compose
The sample docker-compose.yml
file below can be used to spin up two networked services, i.e jenkins_master:8080
and motoserver:5000
.
docker-compose.yml
version: '3.8'
services:
motoserver:
image: motoserver/moto:latest
container_name: motoserver
ports:
- 5000:5000
environment:
- MOTO_PORT=5000
jenkins_master:
image: jenkins/jenkins:lts-jdk11
user: jenkins
container_name: jenkins_master
volumes:
- jenkins_home:/var/jenkins_home
ports:
- 8080:8080
- 50000:50000
volumes:
jenkins_home:
name: jenkins_home
Bring up the stack:
$ docker compose up -d
Complete the Jenkins installation process at http://localhost:8080
. To keep the containers "light", no plugins were selected for installation during the initial setup process.
Install Plugins
- In addition to the SM Plugin, the Pipeline: Declarative will also be installed to allow for creation of a test pipeline
1. AWS Secrets Manager Credentials Provider
Install the SM provider plugin at Dashboard -> Manage Jenkins -> Plugins -> Available Plugins
:
2. Pipeline: Declarative
Once both plugins are installed, restart the jenkins_master
service by running:
$ docker compose restart jenkins_master
Configure AWS Secrets Manager Credentials Provider Plugin for Moto Endpoint
To configure SM provider plugin:
- Visit
Dashboard -> Manage Jenkins -> System
- Scroll to the section AWS Secrets Manager Credentials Provider
- Enter details as show below:
Cache: Enabled
Credentials Provider: Static
AWS Access Key: testing
AWS Secret Key: testing
Service Endpoint: http://motoserver:5000
Signing Region: US East (N.Virginia)
- Save changes
Creating a Secret
For testing, we’ll store a GitHub API Key myapisecret using Moto mock server endpoint.
- After carefully reading the plugin guidelines for creating and tagging secrets, create a secret named
git-api-key
with value of the API key above
$ aws --endpoint-url http://localhost:5000 \
--region us-east-1 secretsmanager create-secret \
--name 'git-api-key' \
--secret-string 'myapisecret' \
--tags 'Key=jenkins:credentials:type,Value=string' \
--description 'API token'
Output:
{
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:git-api-key-HYBogf",
"Name": "git-api-key",
"VersionId": "9491472c-bbd6-4387-89d9-2c9a2d36f758"
}
- The secret should automatically appear at
Dashboard -> Manage Jenkins -> Credentials
Note: With credential caching enabled for the plugin, it can take a few minutes before the secret is visible within Jenkins.
Accessing the Secret from a Pipeline
- Create a test pipeline (secrets-manager-plugin-test)
- Use the following pipeline script to access and display the secret to ensure its contents are as expected
pipeline {
agent any
stages {
stage('Fetch Secret - Moto Endpoint') {
environment {
AWS_REGION="us-east-1"
}
steps {
script {
withCredentials([string(credentialsId: 'git-api-key', variable: 'GIT_API_KEY')]) {
print 'GIT_API_KEY=' + "${GIT_API_KEY}"
def charArray = GIT_API_KEY.toCharArray()
def passwd = ""
for (c in charArray) {
passwd += " "+c.toString()
}
println "the password is"+passwd
println "the password is"+passwd.replaceAll(" ", "")
}
}
}
}
}
}
- To circumvent the protection mechanism (masking) implemented by plugin(s), an iterator and Groovy’
toCharArray()
is used
- Save the pipeline and run a test build
- Check build output log