This topic reviews how to use the use the Hashicorp Vault Artifactory Secrets Plugin.
You will need the "admin" user's password (not an admin, but admin specifically).
Log into the JFrog Platform UI as "admin".
Under "Welcome, admin" (top right) go to "Edit Profile".
Create the Access Token that Vault will use to interact with Artifactory. In Artifactory 7.x this can be done in the UI Administration -> User Management -> Access Tokens -> Generate Token. (Scoped Token, User name:
admin
, Service:Artifactory
, Expiration time:Never
). Or use the Create Token REST API. Seeget-access-key.sh
in Terraform Artifactory Provider.
Note that username
must be admin
otherwise you will not be able to specify different usernames for roles. Save the access_token
from the JSON response as the environment variable TOKEN
.
vault write artifactory/config/admin \ url=https://artifactory.example.org/artifactory \ access_token=$TOKEN
Optionally, rotate the admin token, so that only vault knows it.
vault write -f artifactory/config/rotate
Create a Role (scope for Artifactory < 7.21.1)
vault write artifactory/roles/jenkins \ username="example-service-jenkins" \ scope="api:* member-of-groups:ci-server" \ default_ttl=1h max_ttl=3h
Create a role (scope for Artifactory >= 7.21.1)
vault write artifactory/roles/jenkins \ username="example-service-jenkins" \ scope="applied-permissions/groups:automation " \ default_ttl=1h max_ttl=3h
Also supports grant_type=[Optional, default: "client_credentials"], and audience=[Optional, default: @] see Create Token REST API.
Note : There are some changes in the scopes supported in Artifactory request >7.21. Refer to the JFrog documentation for the same according to the Artifactory version.
vault list artifactory/roles Keys ---- jenkins
vault read artifactory/token/jenkins Key Value --- ----- lease_id artifactory/token/jenkins/25jYH8DjUU548323zPWiSakh lease_duration 1h lease_renewable true access_token adsdgbtybbeeyh... role jenkins scope api:* member-of-groups:ci-server