Jenkins CI › Jenkins users

Hiding aws credentials Jenkins S3 plugin.

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

7 messages Options

Seshadri Reddy

Hiding aws credentials Jenkins S3 plugin.

Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards

Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/236a4ea5-6bfa-4a10-bd66-a33c9343adea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

gil-2

Re: Hiding aws credentials Jenkins S3 plugin.

what about writing your job to upload files to s3?

On Friday, 27 July 2018 14:44:13 UTC+3, [hidden email] wrote:

Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards
Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/51d9f72f-abe6-443a-b787-e5fec6eca87f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Seshadri Reddy

Re: Hiding aws credentials Jenkins S3 plugin.

Jenkins deployments will need to upload artifacts to S3; Jenkins can't write to S3 by default, so we'll need to specify AWS credentials to upload. We'd prefer to not expose these credentials in build scripts or configuration options.

Goal is to provide best practices for properly using and hiding AWS credentials in Jenkins jobs

On Monday, 30 July 2018 17:03:22 UTC+5:30, gil wrote:

what about writing your job to upload files to s3?

On Friday, 27 July 2018 14:44:13 UTC+3, [hidden email] wrote:
Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards
Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Aldrin Leal

Re: Hiding aws credentials Jenkins S3 plugin.

Why not restrict the key to allow only uploading from a given IP Address? Is it way safer

https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

--
-- Aldrin Leal, <[hidden email]> / https://ingenieux.io/about/

On Thu, Aug 2, 2018 at 8:46 AM, <[hidden email]> wrote:

Jenkins deployments will need to upload artifacts to S3; Jenkins can't write to S3 by default, so we'll need to specify AWS credentials to upload. We'd prefer to not expose these credentials in build scripts or configuration options.
Goal is to provide best practices for properly using and hiding AWS credentials in Jenkins jobs

On Monday, 30 July 2018 17:03:22 UTC+5:30, gil wrote:
what about writing your job to upload files to s3?

On Friday, 27 July 2018 14:44:13 UTC+3, [hidden email] wrote:
Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards
Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CALpo8Nv5xHYySQZLgXSmVQ6Qt3%2BCdqYOrgKn6TzZRyG0_QbZEA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Seshadri Reddy

Re: Hiding aws credentials Jenkins S3 plugin.

Hi Aldrin Leal,

Thanks for your information, my problem got solved with other way........ like instead of using IAM user credentials in Jenkins, we can create IAM role with S3 full permission and attach that role in to the Jenkins server, then in Jenkins at the S3 publisher profile instead of providing credentials, we can select IAM role, no worries about credentials.

Please follow below steps:

First need to create IAM role with S3 full access.
Then attach that role to Server.
And go to Jenkins dashboard,

Configure Systems,

Amazon S3 profile,

S3 profiles name : same name as "IAM role"

Instead of given credentials, we can select "Use IAM Role", then apply and save

In Jenkins job, Add post-build action:

Publish artifacts to S3 Bucket,

S3 profile name: name same as "IAM role",

Files to upload: Source : Files name

Destination bucket : Bucket path

Bucket Region : Select bucket region

Then Apply and Save

Click Build now, check artifacts are uploaded in to S3 bucket.

On Thursday, 2 August 2018 19:29:33 UTC+5:30, Aldrin Leal wrote:

Why not restrict the key to allow only uploading from a given IP Address? Is it way safer

<a href="https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Faws.amazon.com%2Fblogs%2Fsecurity%2Fwriting-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE_YFGkoepI2n1zXSgInv52PptYDw';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Faws.amazon.com%2Fblogs%2Fsecurity%2Fwriting-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE_YFGkoepI2n1zXSgInv52PptYDw';return true;">https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

<a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.aws.amazon.com%2FIAM%2Flatest%2FUserGuide%2Freference_policies_examples_aws_deny-ip.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFwFh42jRpnlse6qiUqBO8M6njW2Q';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.aws.amazon.com%2FIAM%2Flatest%2FUserGuide%2Freference_policies_examples_aws_deny-ip.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFwFh42jRpnlse6qiUqBO8M6njW2Q';return true;">https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

--
-- Aldrin Leal, <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="7OMdPqQ2CQAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">ald...@...> / <a href="https://ingenieux.io/about/" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fingenieux.io%2Fabout%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHVOmxtLmFnGhNyIYP-JY3F0RC1mw';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fingenieux.io%2Fabout%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHVOmxtLmFnGhNyIYP-JY3F0RC1mw';return true;">https://ingenieux.io/about/

On Thu, Aug 2, 2018 at 8:46 AM, <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="7OMdPqQ2CQAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">seshadri...@...> wrote:
Jenkins deployments will need to upload artifacts to S3; Jenkins can't write to S3 by default, so we'll need to specify AWS credentials to upload. We'd prefer to not expose these credentials in build scripts or configuration options.
Goal is to provide best practices for properly using and hiding AWS credentials in Jenkins jobs

On Monday, 30 July 2018 17:03:22 UTC+5:30, gil wrote:
what about writing your job to upload files to s3?

On Friday, 27 July 2018 14:44:13 UTC+3, [hidden email] wrote:
Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards
Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="7OMdPqQ2CQAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com?utm_medium=email&utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href='https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;" onclick="this.href='https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;">https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com.

For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b513b229-b1e5-4d4d-be65-3c988102dd0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Shubham Aggarwal

Re: Hiding aws credentials Jenkins S3 plugin.

I can't see the screenshots. Would you please post them again? I tried to follow your instructions but Jenkins automatically unchecks "use IAM role" after I save it with the name or ARN of the role. What am I doing wrong?

On Thursday, August 2, 2018 at 9:48:38 PM UTC+5:30 [hidden email] wrote:

Hi Aldrin Leal,

Thanks for your information, my problem got solved with other way........ like instead of using IAM user credentials in Jenkins, we can create IAM role with S3 full permission and attach that role in to the Jenkins server, then in Jenkins at the S3 publisher profile instead of providing credentials, we can select IAM role, no worries about credentials.

Please follow below steps:

First need to create IAM role with S3 full access.

Then attach that role to Server.

And go to Jenkins dashboard,

Configure Systems,

Amazon S3 profile,

S3 profiles name : same name as "IAM role"

Instead of given credentials, we can select "Use IAM Role", then apply and save



In Jenkins job, Add post-build action:

Publish artifacts to S3 Bucket,

S3 profile name: name same as "IAM role",

Files to upload: Source : Files name

                            Destination bucket : Bucket path

                                Bucket Region : Select bucket region

Then Apply and Save

Click Build now, check artifacts are uploaded in to S3 bucket.

On Thursday, 2 August 2018 19:29:33 UTC+5:30, Aldrin Leal wrote:
Why not restrict the key to allow only uploading from a given IP Address? Is it way safer

https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

--
-- Aldrin Leal, <[hidden email]> / https://ingenieux.io/about/

On Thu, Aug 2, 2018 at 8:46 AM, <[hidden email]> wrote:
Jenkins deployments will need to upload artifacts to S3; Jenkins can't write to S3 by default, so we'll need to specify AWS credentials to upload. We'd prefer to not expose these credentials in build scripts or configuration options.
Goal is to provide best practices for properly using and hiding AWS credentials in Jenkins jobs

On Monday, 30 July 2018 17:03:22 UTC+5:30, gil wrote:
what about writing your job to upload files to s3?

On Friday, 27 July 2018 14:44:13 UTC+3, [hidden email] wrote:
Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards
Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/596d0ed4-5b36-4b4f-ada4-3b1136b73771n%40googlegroups.com.

Shubham Aggarwal

Re: Hiding aws credentials Jenkins S3 plugin.

Never mind. I got it to work. I assigned an instance profile to my slaves and created an S3 profile with "Use IAM role" checked. It again unchecked it but it worked nonetheless. Also, the S3 profile didn't have to bear the same name as the IAM role assigned to the slaves.

On Wednesday, August 26, 2020 at 1:54:15 AM UTC+5:30 Shubham Aggarwal wrote:

I can't see the screenshots. Would you please post them again? I tried to follow your instructions but Jenkins automatically unchecks "use IAM role" after I save it with the name or ARN of the role. What am I doing wrong?

On Thursday, August 2, 2018 at 9:48:38 PM UTC+5:30 [hidden email] wrote:
Hi Aldrin Leal,

Thanks for your information, my problem got solved with other way........ like instead of using IAM user credentials in Jenkins, we can create IAM role with S3 full permission and attach that role in to the Jenkins server, then in Jenkins at the S3 publisher profile instead of providing credentials, we can select IAM role, no worries about credentials.

Please follow below steps:

First need to create IAM role with S3 full access.

Then attach that role to Server.

And go to Jenkins dashboard,

Configure Systems,

Amazon S3 profile,

S3 profiles name : same name as "IAM role"

Instead of given credentials, we can select "Use IAM Role", then apply and save



In Jenkins job, Add post-build action:

Publish artifacts to S3 Bucket,

S3 profile name: name same as "IAM role",

Files to upload: Source : Files name

                            Destination bucket : Bucket path

                                Bucket Region : Select bucket region

Then Apply and Save

Click Build now, check artifacts are uploaded in to S3 bucket.

On Thursday, 2 August 2018 19:29:33 UTC+5:30, Aldrin Leal wrote:
Why not restrict the key to allow only uploading from a given IP Address? Is it way safer

https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

--
-- Aldrin Leal, <[hidden email]> / https://ingenieux.io/about/

On Thu, Aug 2, 2018 at 8:46 AM, <[hidden email]> wrote:
Jenkins deployments will need to upload artifacts to S3; Jenkins can't write to S3 by default, so we'll need to specify AWS credentials to upload. We'd prefer to not expose these credentials in build scripts or configuration options.
Goal is to provide best practices for properly using and hiding AWS credentials in Jenkins jobs

On Monday, 30 July 2018 17:03:22 UTC+5:30, gil wrote:
what about writing your job to upload files to s3?

On Friday, 27 July 2018 14:44:13 UTC+3, [hidden email] wrote:
Hi,

My self Jai,

Am currently facing problem with "how to hide aws access key and secrete key in S3 plugin while uploading artifacts from jenkins job to AWS S3 ??? Need help soon, Can any body please??

Thanks and Regards
Jai

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fc046bdc-e7ff-4457-9b16-2ba81f52dafc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/a42c2a36-6082-486e-b2eb-082826fe08ban%40googlegroups.com.