[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Damian Jesionek commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin I added a PR that fixes this issue on github. Please review carefully as this is my first contribution to a jenkins plugin Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.9580.1584635101538%40Atlassian.JIRA.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title FABRIZIO MANFREDI commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin With the new release the private key is no longer visible. For the integration with secret manager i don't have an ETA Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.539.1565467080131%40Atlassian.JIRA.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Jakub Bochenski commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin Kinnaird McQuade thanks for sharing your workaround. I think you'll agree that having credentials plugin support would make be better than jumping all those hoops? Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.17576.1559313000115%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Kinnaird McQuade commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin I don't have the expertise to make this kind of modifications, unfortunately. Also don't have the time to do it. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.16768.1559234820692%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Kinnaird McQuade edited a comment on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin [~thoulen] - any updates on this? This is a pretty serious security issue.[~jbochenski] - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach: * Terraform generates the SSH key * JCasC is in a templates/jcasc.yml file * Terraform uses the `template_file` data source to inject parameters into the template file * Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions * aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket. * We used [my-bloody-jenkins]([https://github.com/odavid/my-bloody-jenkins]) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch. ** Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads.It's a sound approach workaround , but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.16758.1559234760110%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Kinnaird McQuade commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin FABRIZIO MANFREDI - any updates on this? This is a pretty serious security issue. Jakub Bochenski - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach: Terraform generates the SSH key JCasC is in a templates/jcasc.yml file Terraform uses the `template_file` data source to inject parameters into the template file Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket. We used [my-bloody-jenkins](https://github.com/odavid/my-bloody-jenkins) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch. Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads. It's a sound approach, but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Jakub Bochenski commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin Also if you want to use JCasC it will force you to enter the ssh key in plaintext in JCasC yaml Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.16580.1559220780116%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title FABRIZIO MANFREDI commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin I will put in the backlog for the 1.45, if you have time to provide a pull request for that I will be happy to review it Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.198606.1554663571000.705.1558084860282%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title FABRIZIO MANFREDI started work on JENKINS-56927 Change By: FABRIZIO MANFREDI Status: Open In Progress Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Kinnaird McQuade commented on JENKINS-56927 Re: Request: EC2 plugin should use SSH keys via credentials plugin FABRIZIO MANFREDI any thoughts on this? Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56927) Request: EC2 plugin should use SSH keys via credentials plugin
Title: Message Title Kinnaird McQuade created an issue Jenkins / JENKINS-56927 Request: EC2 plugin should use SSH keys via credentials plugin Issue Type: New Feature Assignee: FABRIZIO MANFREDI Components: ec2-plugin Created: 2019-04-07 18:59 Environment: EC2 plugin: 1.4.2 Jenkins: 2.150.3 Priority: Major Reporter: Kinnaird McQuade The Ec2 plugin currently requires that you insert SSH private key manually, so it shows up in the UI, which is a security concern. The EC2 plugin should support the use of the credentials plugin so the SSH private key does not need to be exposed to viewers of the "Configure System" page. Add Comment