NullPointerException using Context aware credential store using Conjur plugin 1.0.15

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
1

I am using a Jenkins instance 2.375.2 and Conjur plugin 1.0.15 to run my multi-branch pipeline.
I am able to refresh credential store and see my secrets sync’d in the ‘credentials’ tab in Jenkins UI.

But when I try to fetch them using conjurSecretCredential in my Jenkinsfile, I get the following call stack:

java.lang.NullPointerException
	at org.conjur.jenkins.conjursecrets.ConjurSecretCredentials.credentialWithID(ConjurSecretCredentials.java:185)
	at org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding.getCredentialsFor(ConjurSecretCredentialsBinding.java:157)
	at org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding.bind(ConjurSecretCredentialsBinding.java:90)
	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:132)
	at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

How do I get more logging? How do you suggest I proceed? Any tips are appreciated.

Thanks!

1 Like
2

Hello @digital_pollen,

What does the code look like that you are running? What logs are you seeing on the Conjur side?

There may be something different than what the Conjur plugin natively supports, that you are trying to achieve.

Hope this helps!

3

My Jenkinsfile code looks like so:

stage('deploy') {
    steps {
        script {


                  def AWS_ACCESS_KEY_ID_CONJUR_CREDENTIAL_ID = '<path-topassword-as-shown-in-context-credential-store>'
                  def AWS_SECRET_ACCESS_KEY_CONJUR_CREDENTIAL_ID =  '<path-topassword-as-shown-in-context-credential-store>'
                  def MY_USER_CONJUR_CREDENTIAL_ID =  '<path-topassword-as-shown-in-context-credential-store>'
                  def MY_PASSWORD_CONJUR_CREDENTIAL_ID =  '<path-topassword-as-shown-in-context-credential-store>'
                  
                  
                   withCredentials([
                     conjurSecretCredential(
                       credentialsId: AWS_ACCESS_KEY_ID_CONJUR_CREDENTIAL_ID,
                       variable: 'AWS_ACCESS_KEY_ID'),
                     conjurSecretCredential(
                       credentialsId: AWS_SECRET_ACCESS_KEY_CONJUR_CREDENTIAL_ID,
                       variable: 'AWS_SECRET_ACCESS_KEY'),
                     conjurSecretCredential(
                       credentialsId: HCL_USER_CONJUR_CREDENTIAL_ID,
                       variable: ‘MY_USER'),
                     conjurSecretCredential(
                       credentialsId: HCL_PASSWORD_CONJUR_CREDENTIAL_ID,
                       variable: ‘MY_PASSWORD')]) {
                         sh  '''
                  
                           AWS_ACCESS_KEY="${AWS_ACCESS_KEY_ID}" AWS_SECRET_KEY="${AWS_SECRET_ACCESS_KEY}" ansible-playbook ./ansible/my_script.yaml --extra-vars my_user=${MY_USER} my_password=${MY_PASSWORD} my_aws_access_key_id=${AWS_ACCESS_KEY_ID} my_aws_secret_key=${AWS_SECRET_ACCESS_KEY}"
                           '''

	   }
        }
    }
}

Let me try to grab the logs as well. That’s owned by another team.

4

Our Jenkins system log looks like:

Setting variable to AWS_ACCESS_KEY_ID
Jun 23, 2023 1:55:00 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Setting variable to AWS_SECRET_ACCESS_KEY
Jun 23, 2023 1:55:00 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Setting variable to MY_USER
Jun 23, 2023 1:55:00 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Setting variable to MY_PASSWORD
Jun 23, 2023 1:55:00 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
**** binding **** : mymulti-branch-pipeline/my-branch #2
5

Conjur logs:

USERNAME_MISSING failed to authenticate with authenticator authn-jwt service prod:webservice:conjur/authn-jwt/<our service ID>: CONJ00007E 'host/jenkins-projects/<multi-branch pipeline name>/<branch-name>’ not found

jenkins-projects/<multi-branch pipeline>:	jenkins-projects/<multi-branch pipeline> successfully authenticated with authenticator authn-jwt service prod:webservice:conjur/authn-jwt/<service ID>
6

What does the policy look like under “jenkins-projects/” (please redact any customer/internal information), also, what does the policy look like for “authn-jwt/”?

Does the 'host/jenkins-projects/< multi-branch pipeline name>/< branch-name>’ exist in policy? If so, does it have read and authenticate permissions to the JWT Jenkins authenticator service ID? What about host permissions to the variables?

Does the Conjur server this is authenticating against, trust the Jenkins Certificate?

Hope this helps!

7

What does the policy look like under “jenkins-projects/” (please redact any customer/internal)

- !host
  id: <multi-branch pipeline>
  annotations:
    jenkins: true
    authn-jwt/<service ID>/jenkins_task_noun: Scan
    authn-jwt/<service ID>/identity: jenkins-projects-<multi-branch pipeline>
- !grant
  role: !group authn
  members: !host <multi-branch pipeline>

- !grant
  role: !group consumers
  member: !host /jenkins-projects/<multi-branch pipeline>
8

Does the 'host/jenkins-projects/< multi-branch pipeline name>/< branch-name>’ exist in policy? If so, does it have read and authenticate permissions to the JWT Jenkins authenticator service ID? What about host permissions to the variables?

– Pipeline name exists in policy and it has authentication permission to JWT authenticator and host has Read, write permissions to secrets

9

Our fine Jenkins system logs

Setting store context
Jul 12, 2023 9:20:10 AM FINEST org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsImpl
Setting store context
Jul 12, 2023 9:20:16 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Setting variable to AWS_ACCESS_KEY_ID
Jul 12, 2023 9:20:16 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Setting variable to AWS_SECRET_ACCESS_KEY
Jul 12, 2023 9:20:16 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
**** binding **** : <multi-branch pipeline>/<branch> #6
Jul 12, 2023 9:20:16 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Store detailsorg.conjur.jenkins.credentials.ConjurCredentialStore@a7ecee0
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Calling getCredential For1<multi-branch pipeline> » <branch name> #6
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
Item Name<multi-btranch pipeline>
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding
CredentialId after removing ${}<password path>
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
* Context Id not null>>>:#6
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
* Context Id >>>:hudson.model.Hudson@4a935369
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Get all jobs<multi-btranch pipeline>/<branch> #6
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Inside Conjur Credentials>>#6
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Child Folderorg.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject@60c8e572[<multi-btranch pipeline>]>>>>>>2
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
From Binding Credential to Jenkins
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
NOT FOUND at Jenkins Instance Level!
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Inside not Conjur Credentials>><multi-btranch pipeline>
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Inside not conjur credentials final foldernull
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Returning the Credentialsnull
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
printing value
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
From Binding Credentialnull
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Inside Credentials not null
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Back to the for loop tocheck for the parent level
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
From Binding Credential to Jenkins
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Returning the Credentialsnull
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
From Binding Credentialnull
Jul 12, 2023 9:20:17 AM FINE org.conjur.jenkins.conjursecrets.ConjurSecretCredentials
Inside Credentials not null