Skip to content

Limit scope of the individual credentials #1045

Description

@novinxy

What feature do you want to see added?

Hi,

I was wondering if it was possible to add option to limit scope of the individual credentials.

For example in Jenkins instance there could be multiple projects with different security concerns, e.g. admin account for logging remote computers.
In Global credentials store there could be credentials that we only want to use in that security concern.
Unfortunately keeping such credentials in Global store has risk of someone unauthorized to use or sniff those credentials.
Solution for such situation could be "filter" for Jobs/Folders authorized to use affected credential. It could look similar to role-based authorization strategy items roles, where you assign regex pattern.

Alternative could be to have separate stores, and additional stores could have different permissions.

Why not folder scoped credentials? Unfortunately it doesn't work well with JCASC and other credential plugins(e.g. Azure KeyVault) have difficulty implementing folder scoped credentials

With such solution it would be easy to resolve issues like those:

With option to limit access of the credential, many of the needed use cases would be resolved. For Azure KeyVault plugin alternative implementation could be as simple as defining new label in secret.

Another benefit would be option to limit access to credentials used only in global configuration.
Many plugins use credentials only to supply global configuration, e.g. Azure KeyVault, JFrog, etc.
In such cases admins could limit usage of mentioned credential

Upstream changes

No response

Are you interested in contributing this feature?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Fields

    No fields configured for Enhancement.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions