I am looking for a way to securely pass parameters to jobs spawned from a pipeline. In my current case a ‘job’ would ideally be an ansiblePlaybook but could alternatively be a linux shell script. However I would be interested in solutions for any kind of job.
By ‘secure’ I mean that whatever is passed should not be exposed or extractable in any way (okay lets limit that to ‘to any non-root user’). I’ve done a lot of searching for this and it seems that parameters are always passed either as environment variables (
withEnv) or as command line arguments (ie
ansiblePlaybook -e), neither of which classify as secure as both are plain readable when logged in on the agent machine (through /proc//environ and /proc//cmdline, or through ps aux).
The only ways I’m aware of to pass things to a program securely in linux in general are by stdio (eg pipes) or using keyctl. I’ve been extensively searching for examples of using either but came up empty. Does anyone have any tips?
The key element you need to look for is Ansible Vault. You add your vault password to Jenkins as a Credential and launch ansiblePlaybook using that key.
I could have sworn that I had a project here that used this mechanism but I’m having difficulty finding it right now.
Yeah that would be my fallback, but I would also like to know of a more generic mechanism for cases where I’m not using Ansible. (And actually also when using Ansible Vault, I would like to combine it with the Jenkins credentials store. As in store half the secret in Ansible Vault and the other half in the Jenkins credentials store) so that in case either one getting compromised no full secrets are exposed)
Credentials are the general use case. They’re encrypted in Jenkins and decrypted at the point you use them. Granted, you can stuff them into environment variables or files and make them insecure like that. If you’re concerned about pipelines exposing secrets like that, you control who can submit pipelines to your system.
I happen to have a number of secrets that I’ve completely forgotten and have a pipeline job that I modify to extract the secrets to where I can view them.