This document discusses integrating Hashicorp Vault with Jenkins for secrets management in a hybrid cloud scenario. It describes using AWS IAM roles to establish trust between Jenkins and Vault, encapsulating the authentication process in a shared Jenkins library, and provisioning Vault resources like namespaces in an automated fashion. This improves governance, standardizes processes, and provides better security and visibility through integration with tools like Splunk.

1. Hashicorp Vault
And Jenkins
Leveraging AWS IAM to empower a hybrid scenario.

2. There was a time where…
InfoSec team requesting more visibility on secrets usage
in pipelines
Credentials were stored in Jenkins on-premise
Vault in AWS to be integrated
Secret-Zero challenges over approles
Personal Tokens for running our automation

3. What we are going to cover

4. What we are going to cover
Trust
between
Jenkins
and vault

5. What we are going to cover
Trust
between
Jenkins
and vault
Vault
encapsulation
in shared
library

6. What we are going to cover
Trust
between
Jenkins
and vault
Vault
encapsulation
in shared
library
Provision Vault’s
resources in
automated
fashion

7. Senior DevOps Engineer
YNAP
he/him
Piermarco
Zerbini
DevOps Engineer
YNAP
he/him
Kevin
De Notariis

8. q YNAP Ecosystem
q AWS Serverless Solution to Inject Approle Creds in Jenkins
q Governance as Code via Shared Library
q Vault & Cloud Governance
q InfoSec Benefits
Agenda

9. Ø YNAP Ecosystem
q AWS Serverless Solution to Inject Approle Creds in Jenkins
q Governance as Code via Shared Library
q Vault & Cloud Governance
q InfoSec Benefits

10. 01 YNAP Ecosystem
Jenkins & Bitbucket

11. 01 YNAP Ecosystem
Jenkins & Bitbucket
Multi Tenant – Multi branch pipelines

12. 01 YNAP Ecosystem
Jenkins & Bitbucket
Multi Tenant – Multi branch pipelines
Worker Nodes – General purpose

13. 01 YNAP Ecosystem
Jenkins & Bitbucket
Multi Tenant – Multi branch pipelines
Worker Nodes – General purpose
Minimisation of Jenkins’ Configuration Management

14. 01 YNAP Ecosystem
Jenkins & Bitbucket

15. 01 YNAP Ecosystem
Vault Implementation

16. 01 YNAP Ecosystem
Namespace Segregation
Vault Implementation

17. 01 YNAP Ecosystem
Namespace Segregation
Vault’s Administrator à access to Root Namespace
Vault Implementation

18. 01 YNAP Ecosystem
Namespace Segregation
Vault’s Administrator à access to Root Namespace
Organization’s Central teams à access to Next Layer
Vault Implementation

19. 01 YNAP Ecosystem
Namespace Segregation
Vault’s Administrator à access to Root Namespace
Organization’s Central teams à access to Next Layer
Application’s teams à access to Third Layer
Vault Implementation

20. 01 YNAP Ecosystem
Vault Implementation

21. 01 YNAP Ecosystem
Jenkins’ approle
Where should I set the trust between Jenkins and Vault?

22. 01 YNAP Ecosystem
Jenkins’ approle
Where should I set the trust between Jenkins and Vault?
Jenkins Controller à NO à Multi-tenancy

23. 01 YNAP Ecosystem
Jenkins’ approle
Where should I set the trust between Jenkins and Vault?
Jenkins Controller à NO à Multi-tenancy
Jenkins Agents à NO à No dedicated Agents

24. 01 YNAP Ecosystem
Jenkins’ approle
Where should I set the trust between Jenkins and Vault?
Jenkins Controller à NO à Multi-tenancy
Jenkins Agents à NO à No dedicated Agents
Jenkins Project à YES à Need to create a proper mapping

25. 01 YNAP Ecosystem
Jenkins’ approle
Where should I set the trust between Jenkins and Vault?
Jenkins Controller à NO à Multi-tenancy
Jenkins Agents à NO à No dedicated Agents
Jenkins Project à YES à Need to create a proper mapping
Jenkins Pipelines à NO à Cost-efforts/Benefits-balance not worth

27. ü YNAP Ecosystem
Ø AWS Serverless Solution to Inject Approle Creds in Jenkins
q Governance as Code via Shared Library
q Vault & Cloud Governance
q InfoSec Benefits

28. Vault Namespace Deploy
-- The beginning --
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

29. Vault Namespace Deploy
-- The beginning --
02 AWS Serverless Solution to Inject Approle Creds in Jenkins
Namespace deploy via Jenkins using

30. 02 AWS Serverless Solution to Inject Approle Creds in Jenkins
Namespace deploy via Jenkins using
S3 Bucket for Terraform .tfstate on AWS
Vault Namespace Deploy
-- The beginning --

31. 02 AWS Serverless Solution to Inject Approle Creds in Jenkins
Namespace deploy via Jenkins using
S3 Bucket for Terraform .tfstate on AWS
Personal Token manually placed at pipeline runtime
Vault Namespace Deploy
-- The beginning --

32. 02 AWS Serverless Solution to Inject Approle Creds in Jenkins
Namespace deploy via Jenkins using
S3 Bucket for Terraform .tfstate on AWS
Personal Token manually placed at pipeline runtime
Leveraging Jenkins’ Creds Storage
Vault Namespace Deploy
-- The beginning --

33. Trust Manager – Fargate
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

34. Trust Manager – Fargate
Project/Namespace Mapping nsible Inventory
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

35. Trust Manager – Fargate
Project/Namespace Mapping nsible Inventory
Image Created with
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

36. Trust Manager – Fargate
Project/Namespace Mapping nsible Inventory
Image Created with
Defined via IAC
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

37. Trust Manager – Fargate
Project/Namespace Mapping nsible Inventory
Image Created with
Defined via IAC
Vault Agent On-Board
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

38. Set up / Pre-requisites
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

39. Set up / Pre-requisites
Define Trust Manager IAM Role
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

40. IAM Role
logs: createLogStream, putLogEvents
cloudwatch: putMetricData
s3Get*
s3:List*

41. Set up / Pre-requisites
Define Trust Manager IAM Role
Create AWS Auth method in Vault
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

42. TERMINAL
Creating AWS Auth method role
> vault write –namespace=ynap auth/aws/role/trust-manager
auth_type=iam
policies=trust-manager
token_max_ttl=10m
token_ttl=5m
bound_iam_principal_arn=arn:aws:<region>:<account_id>:trustManagerRole

43. Set up / Pre-requisites
Define Trust Manager IAM Role
Create AWS Auth method in Vault
Request the Jenkins’ API Keys
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

44. /(Root)
/ynap
/vault-admin
Jenkins admins
Namespaces
Place API Keys

45. Set up / Pre-requisites
Define Trust Manager IAM Role
Create AWS Auth method in Vault
Request the Jenkins’ API Keys
Team’s Namespaces provisioned
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

46. NAMESPACE=new-namespace
make namespace/add

47. Update inventory 1
NAMESPACE=new-namespace
make namespace/add

48. Update inventory 1
NAMESPACE=new-namespace
make namespace/add
2
Grab template

49. Update inventory 1
NAMESPACE=new-namespace
make namespace/add
2
Grab template 3
Generate
terraform
code

50. Update inventory 1
NAMESPACE=new-namespace
make namespace/add
2
Grab template 3
Generate
terraform
code
4
1. Leverage AWS Auth
Method against /(Root)
2. Deploy Namespace

51. Trust Manager
02 AWS Serverless Solution to Inject Approle Creds in Jenkins

52. 1 Hr
Trust Manager

53. 1 Hr
Trust Manager
1
Login via
AWS Auth Method

54. 1 Hr
Trust Manager
1
Login via
AWS Auth Method
2
Generate
Approle Creds

55. 1 Hr
Trust Manager
1
Login via
AWS Auth Method
2
Generate
Approle Creds
3
Fetch Jenkins’
API Keys

56. 1 Hr
Trust Manager
1
Login via
AWS Auth Method
2
Generate
Approle Creds
3
4
Fetch Jenkins’
API Keys
Inject
Approles

57. 1 Hr
Trust Manager
1
Login via
AWS Auth Method
2
Generate
Approle Creds
3
4
Fetch Jenkins’
API Keys
Inject
Approles

58. 1 Hr
Trust Manager
1
Login via
AWS Auth Method
2
Generate
Approle Creds
3
4
Fetch Jenkins’
API Keys
Inject
Approles

59. 1 Hr
Trust Manager
1
Login via
AWS Auth Method
2
Generate
Approle Creds
3
4
Fetch Jenkins’
API Keys
Inject
Approles

60. 1 Hr
Trust Manager
Uploads
Cloudwatch Custom Metrics
5
1
Login via
AWS Auth Method
2
Generate
Approle Creds
3
4
Fetch Jenkins’
API Keys
Inject
Approles

61. ü YNAP Ecosystem
ü AWS Serverless Solution to Inject Approle Creds in Jenkins
Ø Governance as Code via Shared Library
q Vault & Cloud Governance
q InfoSec Benefits

62. 03 Governance as Code via Shared Library
Governance

63. 03 Governance as Code via Shared Library
Governance
Specific path where AWS creds can be stored in Vault

64. kv
Defined by Vault’s
Administrators & InfoSec
Defined by the InfoSec
and Team giving creds

65. kv
Defined by Vault’s
Administrators & InfoSec
Defined by the InfoSec
and Team giving creds
kv / the-team-giving-creds / aws-creds / aws-account-name
E.g.

66. kv
Defined by Vault’s
Administrators & InfoSec
Defined by the InfoSec
and Team giving creds
kv / the-team-giving-creds / aws-creds / aws-account-name
> Thanks to policy templating with metadata associated to entities
E.g.

67. Capabilities
Admin
List

68. Capabilities
Admin Central Team
List Write

69. Capabilities
Admin Central Team User
List List
Write

70. Capabilities
Admin Central Team User Pipelines
List List
Write Read

71. 03 Governance as Code via Shared Library
Governance
Specific path where AWS creds can be stored in Vault
Specific form of AWS creds secret’s keys

72. 03 Governance as Code via Shared Library
Governance
Specific path where AWS creds can be stored in Vault
Specific form of AWS creds secret’s keys
Specific structure of AWS Account names

73. 03 Governance as Code via Shared Library
Governance
Specific path where AWS creds can be stored in Vault
Specific form of AWS creds secret’s keys
Specific structure of AWS Account names
Namespace <–> Project association

74. 03 Governance as Code via Shared Library
Jenkins Shared Library

75. 03 Governance as Code via Shared Library
Jenkins Shared Library
Seamless integration of AWS Auth using creds stored in vault

76. Easy to use
Simply import the library and leverage
the auth method function.

77. 03 Governance as Code via Shared Library
Jenkins Shared Library
Seamless integration of AWS Auth using creds stored in vault
Encapsulated authentication

83. kv / the-team-giving-creds / aws-creds / aws-account-name

84. kv / the-team-giving-creds / aws-creds / aws-account-name

85. kv / the-team-giving-creds / aws-creds / aws-account-name

86. kv / the-team-giving-creds / aws-creds / aws-account-name

87. 03 Governance as Code via Shared Library
Jenkins Shared Library
Seamless integration of AWS Auth using creds stored in vault
Encapsulated authentication
Centralised way of handling AWS auth via pipelines

88. 03 Governance as Code via Shared Library
Jenkins Shared Library
Seamless integration of AWS Auth using creds stored in vault
Encapsulated authentication
Centralised way of handling AWS auth via pipelines
High maintainability and no refactor needed for stakeholders in
case of authentication changes

89. ü YNAP Ecosystem
ü AWS Serverless Solution to Inject Approle Creds in Jenkins
ü Governance as Code via Shared Library
Ø Vault & Cloud Governance
q InfoSec Benefits

90. Vault & Cloud Governance
04
IAM Provisioning Role

91. Vault & Cloud Governance
04
IAM Provisioning Role
Pipelines interact with AWS via an IAM Provisioning Role (even before Vault)

92. Jenkins Pipelines
Credentials Storage
1
Extract
AWS creds

93. Jenkins Pipelines
Credentials Storage
1
Extract
AWS creds 2
Login

94. Jenkins Pipelines
Credentials Storage
1
Extract
AWS creds 2
Login
Get
Valid
session
3

95. Jenkins Pipelines
Credentials Storage
1
Extract
AWS creds 2
Login
Get
3
Extract
Approle creds
+
Get AWS creds
from vault
Valid
session

96. Vault & Cloud Governance
04
IAM Provisioning Role
Pipelines interact with AWS via an IAM Provisioning Role (even before Vault)
Leverage AWS Auth Method

98. Login via
Approle
Read
Capabilities
1

99. Login via
Approle
Read AWS
Creds
Read
Capabilities
1 2

100. Login via
Approle
Read AWS
Creds
3 Login
Account hosting
Vault’s
infrastructure
Read
Capabilities
1 2

101. Login via
Approle
Read AWS
Creds
3 Login
Account hosting
Vault’s
infrastructure
Read
Capabilities
1 2

102. Login via
Approle
Read AWS
Creds
3 Login
Login via
AWS Auth
method
Account hosting
Vault’s
infrastructure
Read
Capabilities
1
Write
Capabilities
2 4

103. Login via
Approle
Read AWS
Creds
3 Login
Login via
AWS Auth
method
Account hosting
Vault’s
infrastructure
Provision
Read
Capabilities
5
1
Write
Capabilities
2 4

104. Vault & Cloud Governance
04
IAM Provisioning Role
Pipelines interact with AWS via an IAM Provisioning Role (even before Vault)
Leverage AWS Auth Method
Creating Policies, entities, aliases for IAM Provisioning Roles

105. Vault & Cloud Governance
04
IAM Provisioning Role
Pipelines interact with AWS via an IAM Provisioning Role (even before Vault)
Leverage AWS Auth Method
Creating Policies, entities, aliases for IAM Provisioning Roles
Provisioning Vault Namespaces without inserting personal Token…
…Finally

106. ü YNAP Ecosystem
ü AWS Serverless Solution to Inject Approle Creds in Jenkins
ü Governance as Code via Shared Library
ü Vault & Cloud Governance
Ø InfoSec Benefits

107. InfoSec Benefits
05
Splunk Auditing

108. InfoSec Benefits
05
Splunk Auditing
Which namespaces are using AWS Auth method

109. Requests to Login via AWS auth method for each namespace
Query
Pie Chart

110. InfoSec Benefits
05
Which namespaces are using AWS Auth method
See which Bitbucket Projects are using Jenkins Approles
Splunk Auditing

111. Bitbucket Projects Using Jenkins Approles
Query
Pie Chart

112. InfoSec Benefits
05
Which namespaces are using AWS Auth method
See which Bitbucket Projects are using Jenkins Approles
Which namespaces our Trust Manager processed
Splunk Auditing

113. Namespaces Processed by our Trust Manager
Query
Pie Chart

114. InfoSec Benefits
05
Which namespaces are using AWS Auth method
See which Bitbucket Projects are using Jenkins Approles
Which namespaces our Trust Manager processed
AWS credentials read from Vault
Splunk Auditing

115. Namespaces Processed by our Trust Manager
Pie Chart
Query

116. Recap

117. Recap
AWS auth Method + AWS Fargate = Trust Jenkins-Vault

118. Recap
AWS auth Method + AWS Fargate = Trust Jenkins-Vault
Company process enhancement thanks to Vault’s
adoption and governance

119. Recap
AWS auth Method + AWS Fargate = Trust Jenkins-Vault
Company process enhancement thanks to Vault’s
adoption and governance
Company processes encapsulated in shared library

120. Recap
AWS auth Method + AWS Fargate = Trust Jenkins-Vault
Company process enhancement thanks to Vault’s
adoption and governance
Company processes encapsulated in shared library
Provision Vault’s resources in automated fashion

121. Recap
AWS auth Method + AWS Fargate = Trust Jenkins-Vault
Company process enhancement thanks to Vault’s
adoption and governance
Company processes encapsulated in shared library
Provision Vault’s resources in automated fashion
InfoSec visibility

122. Thank You
piermarco.zerbini@ynap.com | kevin.denotariis@ynap.com