snippetMinor
How to SSH from Jenkins node to Jenkins node safely?
Viewed 0 times
jenkinsnodehowsafelyfromssh
Problem
We have a Jenkins Job that builds something on node A and then needs to SCP it to node B.
You can just put the SSH keys for node B on Node A, and SCP with an
What is the best practice regarding this use case? Is there a plugin or a feature for this? Should we just install Hashicorp Vault on the node and configure the keys there separately?
You can just put the SSH keys for node B on Node A, and SCP with an
execute shell build step, however I suspect that keeping SSH keys on a Jenkins node is a bad practice, and would like to avoid it.What is the best practice regarding this use case? Is there a plugin or a feature for this? Should we just install Hashicorp Vault on the node and configure the keys there separately?
Solution
Yes, storing your ssh keys directly on a build node is a bad practice. Nodes can be replicated, deleted, or given access to from other systems, and you don't want to lose track of what systems have access to your secrets.
You should also not pass them directly into the build job, either as a parameter or as an environment variable. This can cause a huge headache with logging and tracking to make sure your keys aren't inadvertently output to places they shouldn't be. Instead, you should:
You should also not pass them directly into the build job, either as a parameter or as an environment variable. This can cause a huge headache with logging and tracking to make sure your keys aren't inadvertently output to places they shouldn't be. Instead, you should:
- Use a centralized secret store (such as Hashicorp Vault) to retrieve the secrets at build run-time.
- Use a plugin (such as the Credentials or SSH Credentials Plugin) to reference the keys during the build.
Context
StackExchange DevOps Q#9040, answer score: 5
Revisions (0)
No revisions yet.