-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin throws exception for Secret File with SecretString #131
Comments
Facing the same issue( |
facing same issue |
I've been thinking about this for a bit... The first thing to note is that if you need to pass a secret string to a build, by far the better way to do this is with the simple Secret Text. The second thing is that the return type of Secret File is a binary field ( Therefore I would favour:
Rather than adding |
Correct; if I remember correctly, the big thing that got me after figuring out it needed to be a SecretBinary was realizing the file also needed to be specified as fileb:// in the aws command (and learning that the aws command had a fileb protocol in the first place and it wasn't just a typo).
Without wading into the text conversion minefield/quicksand, there's several plugins that expect to receive a secret file credential specifically and to be able to use it as text within Jenkins (I have vague memories of the maven plugin being one of them when giving a custom In addition, all console-based credentials get added as SecretStrings, which means that people require AWS access keys and the CLI to upload if they need a Secret File credential. How would you feel about the plugin making an assumption that a SecretString is deserializable as UTF8 and throwing if it's not? We'd want an INFO- or WARN-level log about the situation when the plugin has to do an automatic conversion so that those of us who miss that subtlety know how to make our credentials match the plugin best practices. That way the plugin would handle what are likely the most common cases for the plugin to encounter a SecretString while still providing sufficient breadcrumbs for people to figure out their edge cases. |
I believe that it might be as simple as passing your text file secret as the Could you try running
And then seeing what comes out when the secret file credential is utilised in Jenkins? Side note: If you try to inspect this manually by doing
in the CLI, you'll notice the output is base64 encoded. I believe this is only happening because the shell is a text-only environment, so AWI CLI must necessarily encode the binary output to show it. But the AWS SDK that we use in the Jenkins plugin returns us the byte stream without modification, so I'm hoping it will work.) |
Reposted from https://issues.jenkins.io/browse/JENKINS-66588
I ran into JENKINS-62566 when trying to configure a SecretFile with the kubeconfig for a kubernetes cluster using the kubernetes plugin. This fails in an incredibly unobvious way, which took a lot of digging to troubleshoot.
Since the text of the exception is just the word
null
, the 'test config' button for the kubernetes cloud configuration page just displays the word 'null' in red text. This led me to believe the problem was in the kubernetes plugin's cloud component, but I couldn't figure out how it was throwing due to the exception not being logged at default log levels either. I originally assumed this was an issue with the kubeconfig file, or something wrong with cluster connectivity, until I'd ruled all that out successfully and created a new logger at ALL which showed the actual stacktrace in question, pointing to the AWS Secrets Manager credential provider plugin.Finally, for ease of reproduction, I created a freestyle job in which I just used the file as a credential and saw the same stacktrace:
While the documentation shows a FileCredential created by using awscli with the -secret-binary flag, it is not made obvious in the documentation that a SM secret created by using the AWS web console or the -secret-string flag to awscli is unsupported, and if I hadn't stumbled across JENKINS-62566 I would have no idea what was going wrong without a deep dive into the plugin source.
JENKINS-62566 was closed because it wasn't a common problem, but given how hard to troubleshoot it can be when credentials are used in system configuration, I'd love to see either a fallback where it gets the SecretString value if SecretBytes is null, or at the least, a more instructive stacktrace.
I'd think the SecretBytesSupplier.get() method would want to
return SecretBytes.fromString(str)
on line 71 here instead of returning nullI can try to toss together a PR for this with some test coverage if it's a wanted change; I'd think it would be expected that the contents of the secret will be available to people regardless of whether it is a binary or string.
The text was updated successfully, but these errors were encountered: