How to Manage Jenkins Secrets with Akeyless Vault

Featured article by Rafael Elcomarti, Independent Technology Author

Jenkins is an open-source automation platform that enables software build, test, and deployment by facilitating continuous integration and continuous delivery. It is widely considered as an essential tool in achieving a DevOps model by automating phases of software delivery workflows through CI/CD pipelines.

In its core, Jenkins is a scripting engine acting at the center of a critical workflow, and like all workflow tools, it requires secrets (credentials, api-keys, tokens) in order to interconnect with other resources, such as code repositories.

Securing secrets in your Jenkins should be done in two ways:

– By not leaving secrets in plain text within Jenkins jobs, susceptible to hacker attacks.
– Through Access control, by authorizing a particular Jenkins Job to only access the secrets it requires in order to complete its task.

With an Akeyless Vault integration to Jenkins, Akeyless Vault acts as a secrets management platform for Jenkins by provisioning secrets smoothly, and securely into Jenkins jobs, on run-time.

The Akeyless Vault plugin for Jenkins adds a Build-Wrapper by setting Jenkins environment variables administered through Akeyless Vault secrets. As Jenkins Master fetches secrets from the Akeyless Vault to inject into Jenkins Slaves, this no longer requires hard-coded secrets (like API keys, tokens, certificates, user credentials, etc.) to be saved within Jenkins.

FYI – Akeyless Vault is available either as SaaS or as a self-deployed solution, as required.

Benefits of Using a Centralized Secrets Management Solution

It is imperative for any organization to consistently provision secrets easily in a DevOps workflow without compromising security.

A secrets management platform like Akeyless Vault makes it operationally simpler to maintain compliance and generate reports of secret access with a visibility of what secret, when and where has been used and by whom.

Operation-wise – Each DevOps tool, such as Jenkins, Ansible, Kubernetes, or any other, have its own secret manager/vault. For an organization with multiple such tools, it gets chaotic and equally risky to manage multiple secret managers. With Akeyless Vault’s centralized secrets management platform, an organization can not only manage multiple vaults easily but also benefits by providing a single source to authenticate into different applications and workflows simultaneously.

Audit-wise – Instead of auditing secrets of multiple tools’ secret managers, Akeyless Vault enables a centralized audit of all application secrets, thereby saving precious time and compliance hassle.

Functionality-wise – Most DevOps tools’ secrets platform lack implementation of a Zero-Trust strategy. Through a centralized secrets management platform like Akeyless, temporary credentials are created through Just-in-Time Secrets. This ensures that any playbook has on-demand access to a specific resource that ‘dies’ after the playbook completes its run, thereby administering a Zero-Trust strategy.

Security-wise – Through short-lived SSH certificates, a centralized secrets management platform like Akeyless provisions enhanced security. In comparison to SSH keys, SSH certificates have date ranges that enforce its automatic expiry. Additionally, in case of mistakes, misuse, or theft, SSH certificates automatically expire.

How to Fetch a Secret with Akeyless Vault in Jenkins

Let’s go through the simple steps to fetch a secret in Jenkins.

1. Create an account with Akeyless (it’s free) by accessing the URL: Akeyless.io

2. In case you are a new user, create your first secret in Akeyless as shown below:

3. Start by clicking “Manage Jenkins”, then click “Manage Plugins”. Find Vault plugin and click install. In the Main page, click “New Item”, and then select “Freestyle project”. Go to “Build Environment”, check the “Vault Plugin”, add the vault URL and click “Add” in “Vault Credential”:

4. Fill the following fields, for this step you should use dedicated vault token:

Quick Note : The token should be in the following structure: <access_id>..<access_key>

y

5. Choose your new created Vault Credential.
6. Fill the following fields and click “Add a Vault secret”:

7. Fill details of the Vault URL and Secret Path as shown below:

Quick Note : Path should be in the following structure: secret/data/<path_to_your_secret>

Quick Note : PASS will be used later as an Environment variable and will contain the value of your secret

8. Copy the following into the CLI:

9. In Build, click “Execute shell”:

Summary

The Akeyless Vault plugin for Jenkins allows you to better secure the credentials within Jenkins jobs, by fetching those secrets in run-time from an external encrypted repository.

Akeyless Vault is an easy-to-use platform, with no deployment required (SasS), that centralizes the protection of all your secrets in all your DevOps tools from one single place.