Hey Caleb this was a great read for me; found your post from the Hashicorp Newsletter actually! I also took a quick peek at the repo too and the diagrams are helpful.
I don't use Jenkins, but use GitLab CI/CD instead for my current role and I also am familiar with managing Vault—I was hoping if you could confirm my understanding.
Would the flow look something like:
Jenkins pipeline job is executed and makes a request to Vault for ephemeral creation of either a user and/or token as defined by the particular pipeline.
Vault does the thing per the CLI and plugin integration.
Returns ephemeral token back and allows Jenkins to auth machine to machine to the IdaP avoiding rate limiting.
The flow for usage with this plugin is actually outside of Jenkins pipelines. These are the 2 flows/use cases I built this for:
Jenkins Users:
If no external auth system is being used such as SAML/LDAP/Active Directory etc, Jenkins admins/platform team create vault policies to allow consuming teams to create Jenkins users to run Jenkins jobs/communicate with the API.
Dev team has automation to renew/create short lived users for their consumption of Jenkins.
Jenkins API Tokens:
External provider such as SAML/LDAP/Active Directory is used frequently and rate limits occur due to high Jenkins usage.
Jenkins consumers with their service account can then use vault to create short lived API tokens for said service account user which will not call external provider frequently and avoid rate limits.
Hey Caleb this was a great read for me; found your post from the Hashicorp Newsletter actually! I also took a quick peek at the repo too and the diagrams are helpful.
I don't use Jenkins, but use GitLab CI/CD instead for my current role and I also am familiar with managing Vault—I was hoping if you could confirm my understanding.
Would the flow look something like:
Hey @alexcfpho !
My coworkers actually created a vault plugin for GitLab CI: github.com/splunk/vault-plugin-sec...
The flow for usage with this plugin is actually outside of Jenkins pipelines. These are the 2 flows/use cases I built this for:
Jenkins Users:
Jenkins API Tokens:
@alexcfp would you mind linking me the newsletter you saw? I wasn't aware of it