This plugin allows access to the Thycotic Vault API to access secrets used in the build process. Use of the is plugin must be associated with a licensed version of the Thycotic Vault.
Usage
Additional examples are given in the DevOps Secrets Vault documentation
Usage in a pipeline script
node {
// define the secret key value and the env variables the key matches the attribute name in the secret json.
// Only simple json types are supported for the secret value.
def secretValues = [
[$class: 'ThycoticSecretValue', key: 'password', envVar: 'secret']
]
// define the path to the secret stored in DevOps Secrets Vault
def secrets = [
[$class: 'ThycoticSecret', path: 'path/to/your/secret', secretValues: secretValues]
]
// set the jenkins credential id used to connect to the vault
def configuration = [$class: 'DevOpsSecretsVaultConfiguration',
thycoticCredentialId: '"dsv-auth-credentials"']
// instantiate the build wrapper to access the populated environment variables
wrap([$class: 'ThycoticVaultBuildWrapper', configuration: configuration, thycoticVaultSecrets: secrets]) {
echo "my secret is $secret"
}
}
Limitations
Currently this plugin only supports json formatted secrets within the vault. The secret data values must be simple json types, complex types such as arrays are not currently supported.
Supported by the plugin
{
"id": "0a71c5c0-5198-4c17-b2e3-c9e8703ef03d",
"path": "path:to:secret",
"data": {
"password": "somepassword1",
"username": "someuser"
}
}
Not supported
{
"id": "0a71c5c0-5198-4c17-b2e3-c9e8703ef03d",
"path": "path:to:secret",
"data": {
"password": ["somepassword1", "somepassword2"],
"username": "someuser"
}
}
Building and Running
This plugin requires the use of Java 8 along with Maven 3.5+
Helpful Commands
- Create plugin -
mvn clean install - Run tests -
mvn clean test - Run Plugin Locally -
mvn hpi:run
Attribution
This plugin was adapted from the Vault plugin originally authored by Peter Tierno.