For the Jenkins Job DSL, I am trying to choose specific ssh agent (plugin) keys for a job (using the sshAgent keyword inside the wrappers context). We have the Jenkins ssh agent plugin installed and several keys setup (this plugin works, as we use it for almost all of our jobs). The Jenkins Job DSL sshAgent command always picks the first key, regardless of whether I specify a different key in our Jenkins setup.
I have tried using just the key name, but also tried key_name + space + description (just like the dropdowns show). That does not work either -- still picks the first key.
Is this a known issue? (I haven't turned up any searches for this yet)
You need to pass the ID of the credentials to the sshAgent DSL method. To get the ID, install at least version 1.21 of the Credentials Plugin. Then navigate to the credentials you want to use, e.g. if the credentials you want to use are global and called "Your Credentials" go to Jenkins > Credentials > Global credentials (unrestricted) > Your Credentials > Update. Then click the "Advanced..." button to reveal the ID. If you did not specify a custom ID when creating the credentials, it's a UUID like 99add9e9-84d4-408a-b644-9162a93ee3e4. Then use this value in your DSL script.
job('example') {
wrappers {
sshAgent('99add9e9-84d4-408a-b644-9162a93ee3e4')
}
}
It's recommended to use a recognizable custom ID when creating new credentials, e.g. deployment-key. That will lead to readable DSL scripts.
job('example') {
wrappers {
sshAgent('deployment-key')
}
}
Related
This seems straightforward to do that passing the Service Account key file (generated from the GCP console) by specifying the file location in the application.properties file. However, I tried all the following options:
1. spring.cloud.gcp.credentials.location=file:/home/my_user_id/mp6key.json
2. spring.cloud.gcp.credentials.location=file:src/main/resources/mp6key.json
3. spring.cloud.gcp.credentials.location=file:./main/resources/mp6key.json
4. spring.cloud.gcp.credentials.location=file:/src/main/resources/mp6key.json
It all ended up with the same error:
java.io.FileNotFoundException: /home/my_user_id/mp6key.json (No such file or directory)
Could anyone advise where I should put the key file and then how should I specify the path to the file properly?
The same programs run successfully in Ecplise with messages published and subscribed using the Pub/Sub processing from GCP (using the Project Id/Service Account key generated in GCP), but now stuck with the above issue after deployed to run on GCP.
As mentioned in the official documentation, the credentials file can be obtained from a number of different locations such as the file system, classpath, URL, etc.
for example, if the service account key file is stored in the classpath as src/main/resources/key.json, pass the following property
spring.cloud.gcp.credentials.location=classpath:key.json
if the key file is stored somewhere else in your local file system, use the file prefix in the property value
spring.cloud.gcp.credentials.location=file:<path to key file>
My line looks like this:
spring.cloud.gcp.credentials.location=file:src/main/resources/[my_json_file]
And this works.
The following also works if I put it in the root of the project directory:
spring.cloud.gcp.credentials.location=file:./[my_json_file]
Have you tried to follow this quickstart? Please, try to follow it thoughtfully and explain if you get any error finishing the quickstart.
Anyway, before running your Java script, try running on the console the following (please modify with the exact path where you store your key):
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/mp6key.json"
How are you authenticating your credentials in your Java script?
My answer is easy: if you run you code on GCP, you don't have to use service account key file. Problem eliminated, problem solved!
More seriously, have a look on service identity. I don't know what is your current service (Compute? Function? Cloud Run?). Anyway, you can attach any service account on GCP components. Then, when you code, simply use the default credential. Automatically the component identity is loaded. No key to manage, no key to store securely, no key to rotate!
If you provide more detail on your target platform, I could provide your some guidance to achieve this.
Keep in mind that the service account key file are designed to be used by automatic apps (w/o user account involved) hosted outside GCP (on prem, other Cloud Provider, a CI/CD, Apigee,...)
UPDATE
When you use your personal account, you can also use the default credential.
Install gcloud SDK on your computer
Use the command gcloud auth application-default login
Follow the instructions
Enjoy!
If it doesn't work, get the <path> displayed after the login command and set this value in the environment variable named GOOGLE_APPLICATION_CREDENTIALS.
If you definitively want to use service account key file (which are a security issue for the previous reason, but...), you can use it locally
Either set the json key file path into the GOOGLE_APPLICATION_CREDENTIALS environment variable
Or run this command gcloud auth activate-service-account --key-file=<path to your json key file>
Provided your file is in the resources folder try
file://mp6key.json
using file:// instead of file:/ works for me at least
Is there a way I can send sensitive information (e.g. password) as part of the 'Run Command' under EC2 Systems Manager Services?
Because the way I see it, everytime I run a command against an instance, that command gets logged and is visible from the web console - the command can be viewed.
OR
is there way to pull sensitive information within Run command's command from parameter store and not have that value (sensitive info) echoed to the web console?
Thanks in advance.
You'll want to take a look at the Parameter Store feature of Systems Manager. This lets you define parameters, including Secure String parameter values that can be encrypted using a KMS key of your choice. This will take care of sensitive parameters:
http://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html
/Mats
In Node-Red, I'm using some Amazon Web Services nodes (from module node-red-node-aws), and I would like to read some configuration settings from a file (e.g. the access key ID & the secret key for the S3 nodes), but I can't find a way to set everything up dynamically, as this configuration has to be made in a config node, which can't be used in a flow.
Is there a way to do this in Node-Red?
Thanks!
Unless a node implementation specifically allows for dynamic configuration, this is not something that Node-RED does generically.
One approach I have seen is to have a flow update itself using the admin REST API into the runtime - see https://nodered.org/docs/api/admin/methods/post/flows/
That requires you to first GET the current flow configuration, modify the flow definition with the desired values and then post it back.
That approach is not suitable in all cases; the config node still only has a single active configuration.
Another approach, if the configuration is statically held in a file, is to insert them into your flow configuration before starting Node-RED - ie, have a place-holding config node configuration in the flow that you insert the credentials into.
Finally, you can use environment variables: if you set the configuration node's property to be something like $(MY_AWS_CREDS), then the runtime will substitute that environment variable on start-up.
You can update your package.json start script to start Node-RED with your desired credentials as environment variables:
"scripts": {
"start": "AWS_SECRET_ACCESS_KEY=<SECRET_KEY> AWS_ACCESS_KEY_ID=<KEY_ID> ./node_modules/.bin/node-red -s ./settings.js"
}
This worked perfect for me when using the node-red-contrib-aws-dynamodbnode. Just leave the credentials in the node blank and they get picked up from your environment variables.
I'm trying to figure out how to extract or find the name of the user who's performing the deployment of an app on a given OpsWorks stack. For example, in the "Deployments and Commands" section of a stack, the table there displays a history of various deployments with who the deploy user was... etc. I'd like to be able to capture that same user from within my recipe.
It doesn't look like it's something I can grab out of search(:aws_opsworks_app) databag (unless I'm mistaken). Or is there somewhere else I can get this information easily?
It turns out there's a pretty simple way to get it through search(:aws_opsworks_command) databag.
:aws_opsworks_command provides an iam_user_arn attribute which can be massaged to appear as the deployment user's IAM name. An example iam_user_arn string look like arn:aws:iam:555555:user/username
Example:
owc = search(:aws_opsworks_command).first
owc[:iam_user_arn].split(':').last
# => gets us "user/username"
Documentation: https://docs.aws.amazon.com/opsworks/latest/userguide/data-bag-json-command.html
I'm writing a job-dsl seed job. The seed job needs to be able to generate from either github.com or from my companies github enterprise server. I'd like to keep one job rather than have two.
In each case I would like jenkins to be Authenticated. So to do this, I hardcoded the creds into the script. However I'm not satisfied with this. I would prefer to add a Credentials parameter on the seed job.
The problem is, the Creds parameter seems to add en ENV variable to the script that contains USERID/PASSWORD. http://steve-jansen.github.io/blog/2014/12/16/parsing-jenkins-secrets-in-a-shell-script/
However, the git jobdsl seems to want a Credentials ID, not USERID/PASSWORD.
How to resolve this impasse?
scm {
git {
remote {
name('origin')
url(repo)
credentials(myCredential)
}
branch('master')
}
}
A good introduction to the way Job DSL handles credentials, can be found on official wiki page.
Two examples explaining how it's possible to pass user password to Jenkins job:
// use the github-ci-key credentials for authentication with GitHub
job('example-1') {
scm {
git {
remote {
github('account/repo', 'ssh')
credentials('github-ci-key')
}
}
}
}
// assign the jarsign-keystore credentials to the PASSWORD build variable job('example-2') {
wrappers {
credentialsBinding {
usernamePassword('PASSWORD', 'jarsign-keystore')
}
}
}
Adding to the answer made by Duane above, CredentialID is the unique ID of a credential stored in Jenkins. You can also provide your own ID to identify it in a meaningful way.
Jenkins Credentials
Use this ID shown in the image above in your job-dsl script and it should work for you.
Peace.
Turns out that the premise of the question is false. CredentialsPlugin 1.7 sets the variable to the credentialID.