Vault Integration with Jenkins and AWS authentication

Hashicorp Vault is a tool for managing our Credentials. It has support for multiple secrets. Secrets can be stored, dynamically generated, and in the case of encryption, keys can be consumed as a service without the need to expose the underlying key materials.

Enabling access to Vault requires the installation of hashicorp-vault-plugin and a running Vault instance. Next, we need to decide the method of authentication we will be using for accessing it. Hashicorp provides us with multiple authentication methods and everywhere we found AppRole example. So I thought of creating AWS dynamic authentication method.

We can call the vault API either with custom groovy method or simple curl. We also used jq to parse the JSON object.

pipeline {
agent any
environment {

stages {
stage(‘Stage Login’) {
steps {
sh ‘’’
set +x
export PATH=/usr/local/bin:${PATH}
# AppRole Auth request
curl — request POST \
— data “role_id=$ROLE_ID” — data “secret_id=$SECRET_ID” \
$VAULT_ADDR/v1/auth/approle/login” > login.json

VAULT_TOKEN=$(cat login.json | jq -r .auth.client_token)
# Secret read request
curl — header “X-Vault-Token:$VAULT_TOKEN” $VAULT_ADDR/v1/aws/creds/aws_creds > session.json
AWS_DATA=$(cat session.json | jq -r ‘.data |.[“AWS_ACCESS_KEY_ID”] = .access_key | .[“AWS_SECRET_ACCESS_KEY”] = .secret_key | .[“AWS_SECURITY_TOKEN”] = .security_token | del(.access_key, .secret_key, .security_token) | to_entries[] | “export \\(.key)=\\(.value)”’)
eval $AWS_DATA
aws sts get-caller-identity

you can follow below link for approle integration with jenkins

Cloud and Devops Engineer.