Problem solved: how to fetch a credential stored in Vault during CI tests or deployment?
Context
Commercial products like GitHub Actions implemented the use of tokens (JWT for JSON Web Token) to assert identity of a pipeline. The token can confirm to systems like AWS or Vault "this code is currently run by a legitimate pipeline on the "org/repo repository").
The confirmation exchange between the two occurs through OpenID Connect (OIDC). The OpenID Connect Provider Plugin for Jenkins allows to provide a similar workflow for Jenkins pipelines.
The goal of the lab experiment is to authenticate to Vault to get credentials for a protected resource from a CI pipeline.
Activity
- Install OpenID Connect Provider Plugin for Jenkins
- Configure a JWT auth method in Vault
- Registering the Jenkins identity provider in Vault
- Prepare a Vault policy giving access to an example secret in kv store
- Add a Jenkins pipeline fetching a secret in Vault in a project
- Run the pipeline and confirm credentials can be read
References
- https://developer.hashicorp.com/vault/docs/auth/jwt
- https://plugins.jenkins.io/oidc-provider/
- https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault for a clear explanation of the concepts
Workshop — This can be done as part of a Nasqueron lab x Wolfplex labworkshop
Product evaluation — During this activity, we'll evaluate if we adopt OpenID Connect Provider plugin on our Jenkins CI infrastructure