What feature do you want to see added?
Hi,
I was wondering if it was possible to add option to limit scope of the individual credentials.
For example in Jenkins instance there could be multiple projects with different security concerns, e.g. admin account for logging remote computers.
In Global credentials store there could be credentials that we only want to use in that security concern.
Unfortunately keeping such credentials in Global store has risk of someone unauthorized to use or sniff those credentials.
Solution for such situation could be "filter" for Jobs/Folders authorized to use affected credential. It could look similar to role-based authorization strategy items roles, where you assign regex pattern.
Alternative could be to have separate stores, and additional stores could have different permissions.
Why not folder scoped credentials? Unfortunately it doesn't work well with JCASC and other credential plugins(e.g. Azure KeyVault) have difficulty implementing folder scoped credentials
With such solution it would be easy to resolve issues like those:
With option to limit access of the credential, many of the needed use cases would be resolved. For Azure KeyVault plugin alternative implementation could be as simple as defining new label in secret.
Another benefit would be option to limit access to credentials used only in global configuration.
Many plugins use credentials only to supply global configuration, e.g. Azure KeyVault, JFrog, etc.
In such cases admins could limit usage of mentioned credential
Upstream changes
No response
Are you interested in contributing this feature?
No response
What feature do you want to see added?
Hi,
I was wondering if it was possible to add option to limit scope of the individual credentials.
For example in Jenkins instance there could be multiple projects with different security concerns, e.g. admin account for logging remote computers.
In Global credentials store there could be credentials that we only want to use in that security concern.
Unfortunately keeping such credentials in Global store has risk of someone unauthorized to use or sniff those credentials.
Solution for such situation could be "filter" for Jobs/Folders authorized to use affected credential. It could look similar to role-based authorization strategy items roles, where you assign regex pattern.
Alternative could be to have separate stores, and additional stores could have different permissions.
Why not folder scoped credentials? Unfortunately it doesn't work well with JCASC and other credential plugins(e.g. Azure KeyVault) have difficulty implementing folder scoped credentials
With such solution it would be easy to resolve issues like those:
With option to limit access of the credential, many of the needed use cases would be resolved. For Azure KeyVault plugin alternative implementation could be as simple as defining new label in secret.
Another benefit would be option to limit access to credentials used only in global configuration.
Many plugins use credentials only to supply global configuration, e.g. Azure KeyVault, JFrog, etc.
In such cases admins could limit usage of mentioned credential
Upstream changes
No response
Are you interested in contributing this feature?
No response