Use the Hashicorp Vault Artifactory Secrets Plugin

JFrog Integrations Documentation

Content Type

This topic reviews how to use the use the Hashicorp Vault Artifactory Secrets Plugin.

You will need the "admin" user's password (not an admin, but admin specifically).

  1. Log into the JFrog Platform UI as "admin".

  2. Under "Welcome, admin" (top right) go to "Edit Profile".

  3. Create the Access Token that Vault will use to interact with Artifactory. In Artifactory 7.x this can be done in the UI Administration -> User Management -> Access Tokens -> Generate Token. (Scoped Token, User name: admin, Service: Artifactory, Expiration time: Never). Or use the Create Token REST API. See in Terraform Artifactory Provider.Create Token

Note that username must be admin otherwise you will not be able to specify different usernames for roles. Save the access_token from the JSON response as the environment variable TOKEN.

vault write artifactory/config/admin \
    url= \
  • Optionally, rotate the admin token, so that only vault knows it.

vault write -f artifactory/config/rotate
  • Create a Role (scope for Artifactory < 7.21.1)

vault write artifactory/roles/jenkins \
    username="example-service-jenkins" \
    scope="api:* member-of-groups:ci-server" \
    default_ttl=1h max_ttl=3h
  • Create a role (scope for Artifactory >= 7.21.1)

vault write artifactory/roles/jenkins \
    username="example-service-jenkins" \
    scope="applied-permissions/groups:automation " \
    default_ttl=1h max_ttl=3h

Also supports grant_type=[Optional, default: "client_credentials"], and audience=[Optional, default: @] see Create Token REST API.Create Token

Note : There are some changes in the scopes supported in Artifactory request >7.21. Refer to the JFrog documentation for the same according to the Artifactory version.

vault list artifactory/roles

vault read artifactory/token/jenkins

Key                Value
---                -----
lease_id           artifactory/token/jenkins/25jYH8DjUU548323zPWiSakh
lease_duration     1h
lease_renewable    true
access_token       adsdgbtybbeeyh...
role               jenkins
scope              api:* member-of-groups:ci-server