safe jenkins <command>

safe jenkins post [aws|docker|git] <<jenkins-host-url>> | introduction

Use safe jenkins post to inject both your AWS IAM User and docker login/password credentials into your Jenkins 2.0 continuous integration portal reachable by the jenkins host url given in the 4th parameter of the safe command.


safe jenkins post | prerequisite

Before you can inject credentials into jenkins using safe jenkins post you must

After the post (to jenkins), your continuous integration jobs will be able to access the credential values via their IDs as stated in the below table.


safe jenkins post aws | key names table

As credentials are WORO (write once, read often), safe makes the reading part very very easy (and secure) so your effort is frontloaded.

| Safe Key | Jenkins Credential IDs | Environment Variable | Description | |:———–:|:———————-:|:——————— |:——————————————————– | | @access.key | safe.aws.access.key | AWS_ACCESS_KEY_ID | The AWS IAM user's access key credential. | | @secret.key | safe.aws.secret.key | AWS_SECRET_ACCESS_KEY | The AWS IAM user's secret key credential. | | region.key | safe.aws.region.key | AWS_REGION | The AWS region key that your Jenkins service points to. |

So you can see that by convention, safe expects the credential keys in the safe to be named a particular way, and likewise, you can be assured of the IDs it gives those credentials when posted to Jenkins.

safe jenkins post | credentials lifecycle

The life of the credentials begins when you create an IAM user and record its access and secret keys. Then

Jenkinsfile | Usage in Pipeline Jobs

Here is a pipeline declaration within a Jenkinsfile that asks Jenkins to put the credential values in its secrets store into the stated environment variables.

environment
{
    AWS_ACCESS_KEY_ID     = credentials( 'safe.aws.access.key' )
    AWS_SECRET_ACCESS_KEY = credentials( 'safe.aws.secret.key' )
    AWS_REGION            = credentials( 'safe.aws.region.key' )
}

After safe jenkins post aws you can click into the Credentials item in the Jenkins main menu to assure yourself that the credentials have indeed been properly injected.


How to Write AWS Credentials into your Safe

In order to safe terraform apply or safe jenkins post aws <<jenkins-host-url>> or safe visit you must first put those ubiquitous IAM programmatic user credentials into your safe.

$ safe login joebloggs.com                  # open the book

$ safe open iam dev.s3.reader               # open chapter and verse
$ safe put @access.key ABCD1234EFGH5678     # Put IAM access key in safe
$ safe put @secret.key xyzabcd1234efgh5678  # Put IAM secret key in safe
$ safe put region.key eu-west-3             # infrastructure in Paris

$ safe open iam canary.admin                # open chapter and verse
$ safe put @access.key 4321DCBA8765WXYZ     # Put IAM access key in safe
$ safe put @secret.key 5678uvwx4321abcd9876 # Put IAM secret key in safe
$ safe put region.key eu-west-1             # infrastructure in Dublin

$ safe logout

How to write DockerHub Credentials into your Safe

safe jenkins post docker jenkins.example.com

Before you can issue a safe jenkins post docker http://localhost:8080 you must insert your docker login credentials in the form of a docker.username and @docker.password into your safe. Remember that any key starting with the @ sign tells the safe to keep it a secret like when you issue a safe show command.

$ safe login joebloggs.com         # open the book
$ safe open docker production      # at the docker (for production) chapter and verse
$ safe put docker.username admin   # Put the Docker repository login docker.username into the safe
$ safe put @docker.password s3cr3t # Put the Docker repository login @docker.password into the safe
$ safe logout

When docker credentials are injected into a Jenkins service the safe will expect to find lines at the open chapter and verse location with key names docker.username and @docker.password.

The safe promises to inject credentials with an ID of safe.docker.login.id so any jenkins jobs that need to use the docker login docker.username and password must specify this ID when talking to the Jenkins credentials service.

DockerHub Credentials Inject Response

Here is an example of posting dockerhub credentials into a Jenkins service running on the local machine.

safe jenkins post docker http://localhost:8080

If successful safe provides a polite response detailing what just happened.

- Jenkins Host Url : http://localhost:8080/credentials/store/system/domain/_/createCredentials
 -   Credentials ID : safe.docker.login.id
 -  Inject Username : devops4me
 - So what is this? : The docker repository login credentials in the shape of a username and password.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   428    0     0  100   428      0  47555 --:--:-- --:--:-- --:--:-- 47555

safe integrations | we need your help

You can help to extend safe's integrations.

By design - safe integrations are simple to write. They primarily integrate with producers and consumers. To deliver efficacy to devops engineers safe will endeavour to

safe needs pull requests from the devops community and it promises to always strive to keep the task of writing an integration extremely simple.

integrations | what giving takes?

Currently, writing an integration entails delivering 3 or 4 artifacts which are

Giving doesn't take much so roll up your sleeves (or frocks) and get writing.