HashiCorp Vault and Jenkins: Leveraging AWS IAM to Empower a Hybrid Scenario

Learn about one company's Trust Manager architecture and how it works for integrating Vault with Jenkins

One company wanted to introduce HashiCorp Vault as part of our internal DevOps platform. One of the first use cases was to integrate Vault with their Jenkins environment in order to provide to their DevOps community a seamless way to authenticate into AWS with specific provisioning role, maintaining visibility and security on usage for AD credentials associated to those provisioning roles

Thanks to its cloud native capabilities and its native integration with Splunk they've been able to:

- Solve the secret zero challenge integrating Jenkins with HashiCorp Vault thanks to Trust Manager, a containerized application running in Fargate used to create and maintain AppRole, which is used by Jenkins to access Vault's namespaces. Trust Manager is relying on Vault's AWS auth method to solve the "secret zero challenge" in creating those AppRoles.

- Provide a seamless way to authenticate into AWS accounts within pipelines through a single command thanks to a Jenkins shared library abstracting the usage of a Jenkins HashiCorp Vault plugIn.

- Obtain visibility and governance on AD credentials associated to a AWS provisioning role, thanks to the native Splunk dashboard for Vault: which shows who is using the credentials, where are they used, and when was the last time they were rotated.

»What You'll Learn

- See the company's Jenkins architecture

- See the company's Trust Manager architecture and how it works for integrating Vault with Jenkins

- See the company's HashiCorp Vault namespaces structure and how it has been used to implement the Jenkins shared library and provide DevOps engineers an easy way to authenticate into AWS accounts for provisioning infrastructure

- See the company's Splunk dashboard we use to maintain visibility on AWS provisioning service users credentials