How to access Vault credentials in pipeline

Question

We use the Vault plugin in our pipeline to read credentials from Vault. Now we also want to generate TLS certificates with Vault's PKI engine. For that I need the appRole secret id for Jenkins in my pipeline file. The secret is configured in Jenkins as 'Vault App Role Credential' and I don't know how to access it.

What I'd like to do is something like this:

withCredentials([VaultAppRoleCredential(credentialsId: 'vault_credentials'), roleIdVariable: 'roleId', secretIdVariable: 'secretId']) {
stage('generate certificate') {
    // authenticate with credentials against Vault
    // ...
}

}

My workaround at the moment is to duplicate the credentials and store the roleId and secretId additionally in a username+password credential in Jenkins.

Answer 1

Here is my working example how to use Vault Credentials Token and use it to access vault secrets:

// Specify how to access secrets in Vault
def configuration = [
vaultUrl: 'https://hcvault.global.nibr.novartis.net',
vaultCredentialId: 'poc-vault-token',
engineVersion: 2
]

def secrets = [
[path: 'secret/projects/intd/common/accounts', engineVersion: 2, secretValues: 
    [
        [vaultKey: 'TEST_SYS_USER'],
        [vaultKey: 'TEST_SYS_PWD']
    ]
  ]
]

... [omitted pipeline]

stage ('Get Vault Secrets') {
  steps  {
    script {
      withCredentials([[$class: 'VaultTokenCredentialBinding', credentialsId: 'poc-vault-token', vaultAddr: 'https://hcvault.global.nibr.novartis.net'], usernamePassword(credentialsId: 'artifactory-jenkins-user-password', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        withVault([configuration: configuration, vaultSecrets: secrets]) {  
          sh """
            echo $env.VAULT_ADDR > hcvault-address.txt
            echo $env.VAULT_TOKEN > hcvault-token.txt
            echo $env.TEST_SYS_USER > sys-user-account.txt
          """.stripIndent()
        }
      }
    }
  }
}