Jenkins

The Conjur Jenkins plugin retrieves secrets from Conjur for use in Jenkins pipeline code or Freestyle projects.

Overview

The conjur-credentials-plugin makes secrets stored in an existing Conjur database available to Jenkins jobs. Jenkins jobs can authenticate to Conjur and access specific secret values for which they have authorization. You store and manage the secrets in Conjur.

We provide the plugin binary, which you install and configure on your Jenkins host.

On the Conjur side, you load Conjur policy that defines the following: 

  • One or multiple Jenkins hosts. For example, you might define separate hosts for each Jenkins pipeline.
  • Privileges for those hosts to authenticate to Conjur.
  • Conjur variables that will hold the secret values. Those secrets will be loaded and managed in Conjur. For supported variable types, policy can define automatic rotation.
  • Privileges for Jenkins hosts to access the variables.

When all configurations are in place, Jenkins pipelines and projects simply reference a Conjur variable using a configured Jenkins ID.

Benefits

The Conjur Jenkins integration provides the following advantages to Jenkins DevOps administrators:

Advantage

Description

Security

Secret values are stored and obtained securely. Secrets are not exposed in Jenkins jobs or referenced files.

Central management

Secrets are managed in a central location, either in Conjur or in the CyberArk Vault if you are using the Vault Conjur Synchronizer.

Automatic rotation

Secret value rotations are recommended for security. Conjur handles rotation so that no changes are required on the Jenkins side.

Segregation of duties

The plugin isolates Jenkins DevOps administrators from secrets management.

Flexibility

The plugin supports Jenkins scripts or projects. It supports global or folder-specific configurations.

Simplification

The plugin simplifies Jenkins job and project creation by requiring only a reference ID to a secret.

Familiarity

You configure the plugin using the Jenkins UI, a familiar interface for Jenkins users.

In this section:

 
True