Added Runtime Configuration of STS Token Duration

By enabling runtime configuration of the STS token duration, this enables a shorter token duration to be defined by default on a Jenkins master, but enables users to explicilty request a longer session token for longer running jobs. This helps to ensure that the credential lifetime is only as long as necessary.
jenkinsci · Jun 13, 2019 · 7e201fb · 7e201fb
1 parent 4f6e283
commit 7e201fb
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 6 deletions.
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java b/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java
@@ -126,6 +126,10 @@ public boolean requiresToken() {
     }
 
     public AWSCredentials getCredentials() {
+        return getCredentials(this.getStsTokenDuration());
+    }
+
+    public AWSCredentials getCredentials(int stsTokenDuration) {
         AWSCredentials initialCredentials = new BasicAWSCredentials(accessKey, secretKey.getPlainText());
 
         if (StringUtils.isBlank(iamRoleArn)) {
@@ -158,7 +162,7 @@ public AWSCredentials getCredentials() {
             }
 
             AssumeRoleRequest assumeRequest = createAssumeRoleRequest(iamRoleArn)
-                    .withDurationSeconds(this.getStsTokenDuration());
+                    .withDurationSeconds(stsTokenDuration);
 
             AssumeRoleResult assumeResult = client.assumeRole(assumeRequest);
 

diff --git a/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentials.java b/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentials.java
@@ -45,6 +45,7 @@ public interface AmazonWebServicesCredentials extends StandardCredentials, AWSCr
     String getDisplayName();
 
     AWSCredentials getCredentials(String mfaToken);
+    AWSCredentials getCredentials(int stsTokenDuration);
 
     /**
      * Our name provider.
@@ -61,5 +62,4 @@ public String getName(@NonNull AmazonWebServicesCredentials c) {
             return c.getDisplayName() + (description != null ? " (" + description + ")" : "");
         }
     }
-
 }
diff --git a/...ava/com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding.java b/...ava/com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding.java
@@ -27,9 +27,7 @@
 
 import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSSessionCredentials;
-import com.amazonaws.auth.BasicSessionCredentials;
 
-import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
 import hudson.Extension;
@@ -41,6 +39,7 @@
 import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
 import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
 
 import javax.annotation.Nonnull;
 import java.io.IOException;
@@ -63,6 +62,8 @@ public class AmazonWebServicesCredentialsBinding extends MultiBinding<AmazonWebS
     private final String accessKeyVariable;
     @NonNull
     private final String secretKeyVariable;
+    @Nullable
+    private volatile Integer stsTokenDuration;
 
     /**
      *
@@ -87,14 +88,30 @@ public String getSecretKeyVariable() {
         return secretKeyVariable;
     }
 
+    @Nullable
+    public Integer getStsTokenDuration() {
+        return this.stsTokenDuration;
+    }
+
+    @DataBoundSetter
+    public void setStsTokenDuration(@Nullable Integer stsTokenDuration) {
+        this.stsTokenDuration = stsTokenDuration;
+    }
+
     @Override
     protected Class<AmazonWebServicesCredentials> type() {
         return AmazonWebServicesCredentials.class;
     }
 
     @Override
     public MultiEnvironment bind(@Nonnull Run<?, ?> build, FilePath workspace, Launcher launcher, TaskListener listener) throws IOException, InterruptedException {
-        AWSCredentials credentials = getCredentials(build).getCredentials();
+        AmazonWebServicesCredentials credentialRetriever = getCredentials(build);
+        AWSCredentials credentials = null;
+        if (stsTokenDuration != null) {
+            credentials = credentialRetriever.getCredentials(stsTokenDuration);
+        } else {
+            credentials = credentialRetriever.getCredentials();
+        }
         Map<String,String> m = new HashMap<String,String>();
         m.put(accessKeyVariable, credentials.getAWSAccessKeyId());
         m.put(secretKeyVariable, credentials.getAWSSecretKey());

diff --git a/...sources/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl/credentials.jelly b/...sources/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl/credentials.jelly
@@ -43,7 +43,7 @@
       <f:entry title="${%MFA Token}" field="iamMfaToken">
         <f:textbox/>
       </f:entry>
-      <f:entry title="${%STS Token Duration (sec)}" field="stsTokenDuration">
+      <f:entry title="${%Default STS Token Duration (sec)}" field="stsTokenDuration">
         <f:textbox default="${descriptor.DEFAULT_STS_TOKEN_DURATION}"/>
       </f:entry>
     </f:advanced>

diff --git a/...jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding/config-variables.jelly b/...jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding/config-variables.jelly
@@ -30,4 +30,7 @@ THE SOFTWARE.
   <f:entry title="${%Secret Key Variable}" field="secretKeyVariable">
     <f:textbox default="AWS_SECRET_ACCESS_KEY"/>
   </f:entry>
+  <f:entry title="${%STS Token Duration Override}" field="stsTokenDuration">
+    <f:textbox />
+  </f:entry>
 </j:jelly>
diff --git a/...ins/plugins/awscredentials/AmazonWebServicesCredentialsBinding/help-stsTokenDuration.html b/...ins/plugins/awscredentials/AmazonWebServicesCredentialsBinding/help-stsTokenDuration.html
@@ -0,0 +1,27 @@
+<!--
+  ~ The MIT License
+  ~
+  ~  Copyright (c) 2015, CloudBees, Inc.
+  ~
+  ~  Permission is hereby granted, free of charge, to any person obtaining a copy
+  ~  of this software and associated documentation files (the "Software"), to deal
+  ~  in the Software without restriction, including without limitation the rights
+  ~  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  ~  copies of the Software, and to permit persons to whom the Software is
+  ~  furnished to do so, subject to the following conditions:
+  ~
+  ~  The above copyright notice and this permission notice shall be included in
+  ~  all copies or substantial portions of the Software.
+  ~
+  ~  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  ~  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  ~  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  ~  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  ~  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  ~  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  ~  THE SOFTWARE.
+  ~
+  -->
+<div>
+    Override the STS Token Duration for these credentials. <i>(optional)</i>
+</div>