Jenkins + Hashicorp Vault

jenkins-vault

vault secrets enable -path=secret_storage kv
vault kv put secret_storage/test1 ke1="val1"

vault policy write jenkins policy.hcl
vault auth enable approle

vault write auth/approle/role/jenkins \
    secret_id_ttl=48h \
    token_num_uses=10 \
    token_ttl=96h \
    token_max_ttl=96h \
    secret_id_num_uses=1 \
    policies=jenkins

vault read -format=json auth/approle/role/jenkins/role-id > role.json
vault write -format=json -f auth/approle/role/jenkins/secret-id > secretid.json

policy.hcl

path "auth/approle/role/jenkins/secret-id" { 
  capabilities = ["create","update"] 
}
path "secret_storage/*" {
  capabilities = ["read","create","update"]
}

vault-test.jenkinsfile

node('master') {
    stage('Test Vault Connection') {
        withVault(
            configuration: [
                engineVersion: 2, 
                timeout: 60, 
                vaultCredentialId: 'VAULT_CREDENTIALS', //Jenkins credential approle key (role-id, secret-id pair) https://plugins.jenkins.io/hashicorp-vault-plugin/
                vaultUrl: 'http://127.0.0.1:8200'       
                ], 
            vaultSecrets: [
                [
                    path: 'secret_storage/test1', secretValues: [[envVar: 'test1', vaultKey: 'key1']]
                ]
            ]
            ) {
            sh 'echo $test1'
        }
    }
}