Password Manager Pro Plugin for Jenkins
Jenkins is a leading Java-based open source automation tool that is widely used in DevOps environments to build and test software projects continuously. SDLC tasks related to building, testing, and delivering or deploying software can be created as automation schedules in Jenkins, named as 'jobs.' Execution of these 'jobs' more often than not require user credentials and similar sensitive information like privileged passwords, API keys, and access tokens to interface with other systems and services. In most DevOps environments, such credentials are stored within plain text files in the Jenkins server, which can lead to a horde of security and management issues.
The Password Manager Pro plugin developed for secrets management in Jenkins helps improve security in organizations' DevOps pipeline. The plugin once enabled in Jenkins, ensures that required credentials are retrieved from Password Manager Pro's vault every time when a job is run, instead of being embedded in plain text within script files. Upon secure retrieval, the credentials can then be used in environment variables, such as connecting to a remote server for build activation. The plugin also saves the user from the arduous job of having to manually update the password in the script file every time there's an update. Often, there are instances when a user is unable to run a job since they're locked out of the target application or server owing to an outdated password in the script file. Now with the credentials stored in Password Manager Pro, they're regularly rotated and also updated in the respective remote device, which ensures that only latest passwords are retrieved from the vault while running jobs. Currently, the plugin can be used for secrets management at a job level, i.e. for freestyle project jobs.
Steps to Configure Password Manager Pro Plugin for Jenkins
The following are the major two steps involved in getting set up and starting to manage Jenkins' secrets with Password Manager Pro.
Step 1: Enabling Jenkins integration in Password Manager Pro
Step 2: Installing and enabling the plugin in Jenkins
Enabling Jenkins integration in Password Manager Pro
- Log into Password Manager Pro and navigate to Admin >> Integration >> CI/CD Platform Integration.
- Click on the Jenkins option.
- AUTH Token: Click on 'Generate' to populate an AUTH Token automatically. This will be required later while configuring the plugin in Jenkins' console. Once set up, all incoming connections from Jenkins will be validated by Password Manager Pro using this AUTH token.
- Username: Here, enter the username of an active Password Manager Pro user whose account will be used automatically by Jenkins to securely retrieve the required passwords from Password Manager Pro's vault.
Important Note: Ensure that the user account you provide has the minimum required permissions for this workflow i.e. privilege to view/retrieve the passwords of resources to which Jenkins has to connect.
- Click 'Enable'.
Note: Since Jenkins may have multiple instances, 'Host Name' check will be disabled for the Jenkins requests.
Installing and enabling the plugin in Jenkins
The following actions to be carried in Jenkins' console require a user role with the privilege to manage plugins in the tool.
- First, download the plugin here.
- Open Jenkins' console and navigate to Manage Jenkins >> Manage Plugins >> Advanced
- Under Upload Plugin section, upload the plugin file.
- Additionally, Jenkins also requires the SSL certificate of your Password Manager Pro installation while establishing a connection. So the SSL certificate has to be added to Jenkins' keystore.
Add the SSL certificate using the below command:
keytool -import -trustcacerts -keystore <<PATH_TO_JENKINS_JAVA_KEYSTORE>> -alias <<ALIAS_NAME>> -import <<PATH_TO_PMP_SSL_CERTIFICATE>>
- Upon installation, restart the Jenkins server to apply the changes.
Enabling the plugin
- Navigate to Manage Jenkins >> Configure System.
- In the UI that loads, scroll down to locate the Password Manager Pro plugin section.
- PMP URL: Enter the URL to your Password Manager Pro instance, in the format https://<hostname>:<portnumber>
- PMP AUTH Token: Here, copy and paste the AUTH Token generated earlier in Password Manager Pro's interface. Please note that the AUTH Token entries in both Password Manager Pro and Jenkins should always match for successfully plugin configuration and password retrieval.
- Save the changes to enable and start using the Password Manager Pro plugin in Jenkins.
Retrieving passwords from Password Manager Pro for freestyle project jobs
At present, the plugin can be used to retrieve required credentials from Password Manager Pro for Jenkins' freestyle project jobs. This requires adding various Password Manager Pro (PMP) attributes such as resource name, account name, and password while configuring the job. Upon this attribute configuration at job level, the value of these PMP attributes will be available as 'Environmental Variables' during job execution. When Jenkins connects to Password Manager Pro to retrieve a specific password, the environmental variables will be how the former identifies the required values in the latter. Below is a step-wise explanation of the actions involved:
- Once you create a specific freestyle project job, you can find an option to use the Password Manager Pro plugin for that job under its 'Build Environment' section.
- Enable the check box beside Manage credentials with Password Manager Pro (PMP) Plugin and click 'Add an Account.'
- In the Resource Name and Account Name fields, specify the respective names of the resource and its account that you want Jenkins to fetch from PMP.
- The next step is creating variable-attribute pairs, using which Jenkins will retrieve the required values from Password Manager Pro. To create a pair, first refer to the list of available PMP attributes given below and specify the required attribute in the Password Manager Pro Attribute field. Then add a desired name for the Environment Variable, for which the value of the corresponding PMP attribute will be automatically assigned.
- Click 'Add a variable/attribute pair' to include all the required PMP attributes in a similar fashion and then save the configuration. The plugin is now ready for use in Jenkins.
List of available PMP Attributes
- Resource-level and account-level additional fields, excluding file-based additional fields.