{"id":31769950,"url":"https://github.com/jfrog/vault-plugin-secrets-artifactory","last_synced_at":"2025-10-10T02:55:55.668Z","repository":{"id":37958152,"uuid":"375159278","full_name":"jfrog/vault-plugin-secrets-artifactory","owner":"jfrog","description":"HashiCorp Vault Secrets Plugin for Artifactory","archived":false,"fork":false,"pushed_at":"2025-09-24T10:15:11.000Z","size":1053,"stargazers_count":46,"open_issues_count":20,"forks_count":20,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-09-24T10:45:30.330Z","etag":null,"topics":["access-token","artifactory","golang","jfrog","vault","vault-plugin","vault-plugin-secrets-artifactory"],"latest_commit_sha":null,"homepage":"https://jfrog.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"idcmp/artifactory-secrets-plugin","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jfrog.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-06-08T22:18:33.000Z","updated_at":"2025-09-24T10:15:14.000Z","dependencies_parsed_at":"2023-02-14T03:03:39.096Z","dependency_job_id":"a82b1376-0904-4ece-a3e1-3ba3d948fe82","html_url":"https://github.com/jfrog/vault-plugin-secrets-artifactory","commit_stats":null,"previous_names":["jfrog/artifactory-secrets-plugin"],"tags_count":42,"template":false,"template_full_name":null,"purl":"pkg:github/jfrog/vault-plugin-secrets-artifactory","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fvault-plugin-secrets-artifactory","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fvault-plugin-secrets-artifactory/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fvault-plugin-secrets-artifactory/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fvault-plugin-secrets-artifactory/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jfrog","download_url":"https://codeload.github.com/jfrog/vault-plugin-secrets-artifactory/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fvault-plugin-secrets-artifactory/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002527,"owners_count":26083403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-token","artifactory","golang","jfrog","vault","vault-plugin","vault-plugin-secrets-artifactory"],"created_at":"2025-10-10T02:55:51.771Z","updated_at":"2025-10-10T02:55:55.661Z","avatar_url":"https://github.com/jfrog.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Vault Acceptance Tests](https://github.com/jfrog/vault-plugin-secrets-artifactory/actions/workflows/acceptance-tests.yml/badge.svg)](https://github.com/jfrog/vault-plugin-secrets-artifactory/actions/workflows/acceptance-tests.yml)\n\n# Vault Artifactory Secrets Plugin\n\nThis plugin is actively maintained by JFrog Inc. Please refer to [CONTRIBUTING.md](CONTRIBUTING.md) for contributions and [create GitHub issues](https://github.com/jfrog/vault-plugin-secrets-artifactory/issues/new/choose) to ask for feature requests and support.\n\nContact [JFrog Support](https://jfrog.com/support/) for urgent, time sensitive issues.\n\n----------------------------------------------------------------\n\nThis is a [HashiCorp Vault](https://www.vaultproject.io/) secret plugin which talks to JFrog Artifactory server and will\ndynamically provision access tokens with specified scopes. This backend can be mounted multiple times\nto provide access to multiple Artifactory servers.\n\nUsing this plugin, you can limit the accidental exposure window of Artifactory tokens; useful for continuous integration servers.\n\n## Access Token Creation and Revoking\n\nThis backend creates access tokens in Artifactory using the admin credentials provided. Note that if you provide non-administrative credentials, then the \"username\" must match the username of the credential owner.\n\nVisit [JFrog Help Center](https://jfrog.com/help/r/jfrog-platform-administration-documentation/introduction-to-access-tokens) for more information on Access Tokens.\n\n### Admin Token Expiration Notice\n\n\u003e [!IMPORTANT]\n\u003e Prior to Artifactory 7.42.1, admin access token was created with the system token expiration (default to 1 year) even when `expires_in` API field is set to `0`. In 7.42.1, admin token expiration no longer constrained by system configuration and therefore can be set to non-expiring.\n\u003e See section [\"Generate a Non-expiry Admin Token without Changing the Configuration\"](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.42.1Cloud) in the release note.\n\u003e\n\u003e Therefore if you created access token(s) with Artifactory prior to 7.42.1, the tokens will have a 1 year expiration time (or whatever value is set in the Artifactory configuration) and will become unusable silently when it expires.\n\u003e\n\u003e We suggest upgrading your Artifactory to 7.42.1 or later (if possible) and rotate your tokens to get new, non-expiring tokens. Or set reminders to ensure you rotate your tokens before expiration.\n\u003e\n\u003e It should also be noted that some \"scripts\" used to create an admin token may default to expiration in `1h`, so it is best to **rotate** the admin token immediately, to ensure it doesn't expire unexpectedly.\n\u003e\n\u003e If you are using v0.2.9 or later, you can check if your admin token has an expiration using `vault read artifactory/config/admin`. If the exp/expires fields are not present, your token has no expiration set.\n\n### Dynamic Usernames\n\nPrevious versions of this plugin required a static `username` associated to the roles. This is still supported for backwards compatibility, but you can now use a dynamically generated username, based on [Vault Username Templates][vault-username-templating]. The generated tokens will be associated to a username generated from the template `v-{{.RoleName}}-{{Random 8}})` (`v-jenkins-x4mohTA8`), by default. You can change this template by specifying a `username_template=` option to the `/artifactory/config/admin` endpoint. The \"scope\" in the role should be `applied-permissions/groups:(list-of-groups)`, since `applied-permissions/user` would require the username to exist ahead of time. The user will not show in the Users list, but will be dynamically created during the scope of the token. The username still needs to be compliant with [artifactory requirements][artifactory-create-token] (less than 255 characters). It will be converted to lowercase by the API.\n\nExample:\n\n```sh\nvault write artifactory/config/admin username_template=\"v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}\"\n```\n\n### Expiring Tokens\n\nBy default, the Vault generated Artifactory tokens will not show an expiration date, which means that Artifactory will not\nautomatically revoke them. Vault will revoke the token when its lease expires due to logout or timeout (ttl/max_ttl). The reason\nfor this is because of the [default Revocable/Persistency Thresholds][artifactory-token-thresholds] in Artifactory. If you would\nlike the artifactory token itself to show an expiration, and you are using Artifactory v7.50.3 or higher, you can write\n`use_expiring_tokens=true` to the `/artifactory/config/admin` path. This will set the `force_revocable=true` parameter and\nset `expires_in` to either max lease TTL or role's `max_ttl`, whichever is lower, when a token is created, overriding the default\nthresholds mentioned above.\n\nExample:\n\n```sh\nvault write artifactory/config/admin use_expiring_tokens=true\n```\n\nExample Token Output:\n\n```console\n$ ACCESS_TOKEN=$(vault read -field access_token artifactory/token/test)\n$ jwt decode $ACCESS_TOKEN\n\nToken header\n------------\n{\n\"typ\": \"JWT\",\n\"alg\": \"RS256\",\n\"kid\": \"nxB2_1jNkYS5oYsl6nbUaaeALfKpfBZUyP0SW3txYUM\"\n}\n\nToken claims\n------------\n{\n\"aud\": \"*@*\",\n\"exp\": 1678913614,\n\"ext\": \"{\\\"revocable\\\":\\\"true\\\"}\",\n\"iat\": 1678902814,\n\"iss\": \"jfac@01gvgpzpv8jytn0fvq41wb1srj\",\n\"jti\": \"e39cec86-069c-4b75-8897-c2bf05dc8354\",\n\"scp\": \"applied-permissions/groups:readers\",\n\"sub\": \"jfac@01gvgpzpv8jytn0fvq41wb1srj/userv-test-p9nprfwr\"\n}\n```\n\n### Artifactory Version Detection\n\nSome of the functionality of this plugin requires certain versions of Artifactory. For example, as of Artifactory 7.50.3, we can optionally set the `force_revocable` flag and set the expiration of the token to `max_ttl`.\n\nIf you have upgraded Artifactory after installing this plugin, and would like to take advantage of newer features, you can issue an empty write to the `artifactory/config/admin` endpoint to re-detect the version, or it will re-detect upon reload.\n\nExample:\n\n```sh\nvault write -f artifactory/config/admin\n```\n\n## Installation\n\n### Using pre-built releases\n\nYou can find pre-built releases of the plugin [here][artreleases] and download the latest binary file corresponding to your target OS.\n\n### From Sources\n\nIf you prefer to build the plugin from sources, clone the GitHub repository locally and run the command `make build` from the root of the sources directory.\n\nSee [Local Development Prerequisites](#local-development-prerequisites) section for pre-requisites.\n\nUpon successful compilation, the resulting `artifactory-secrets-plugin` binary is stored in the `dist/vault-plugin-secrets-artifactory_\u003cOS architecture\u003e` directory.\n\n## Configuration\n\nCopy the plugin binary into a location of your choice; this directory must be specified as the [`plugin_directory`][vaultdocplugindir] in the Vault configuration file:\n\n```hcl\nplugin_directory = \"path/to/plugin/directory\"\n```\n\nStart a Vault server with this configuration file:\n\n```sh\nvault server -config=path/to/vault/config.hcl\n```\n\nOnce the server is started, register the plugin in the Vault server's [plugin catalog][vaultdocplugincatalog]:\n\n```sh\nvault plugin register \\\n  -sha256=$(sha256sum path/to/plugin/directory/artifactory | cut -d \" \" -f 1) \\\n  -command=artifactory-secrets-plugin \\\n  secret artifactory\n```\n\n\u003e [!NOTE]\n\u003e you may need to also add arguments to the registration like `-args=\"-ca-cert ca.pem` or something insecure like: `-args=\"-tls-skip-verify\"` depending on your environment. (see `./path/to/plugins/artifactory -help` for all the options)\n\n\u003e [!CAUTION]\n\u003e This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. Instead you should use the checksum provided as [part of the release](https://github.com/jfrog/vault-plugin-secrets-artifactory/releases). See [How to verify binary checksums](#how-to-verify-binary-checksums) section.\n\nYou can now enable the Artifactory secrets plugin:\n\n```sh\nvault secrets enable artifactory\n```\n\nWhen upgrading, please refer to the [Vault documentation](https://developer.hashicorp.com/vault/docs/upgrading/plugins) for detailed instructions.\n\n\n### How to verify binary checksums\n\nChecksums for each binary are provided in the `artifactory-secrets-plugin_\u003cversion\u003e_checksums.txt` file. It is signed with the public key [`vault-plugin-secrets-artifactory-public-key.asc`](vault-plugin-secrets-artifactory-public-key.asc) which creates the signature file `artifactory-secrets-plugin_\u003cversion\u003e_checksums.txt.sig`.\n\nIf the public key is not in your GPG keychain, import it:\n```sh\ngpg --import vault-plugin-secrets-artifactory-public-key.asc\n```\n\nThen verify the checksums file signature:\n\n```sh\ngpg --verify artifactory-secrets-plugin_\u003cversion\u003e_checksums.txt.sig artifactory-secrets-plugin_\u003cversion\u003e_checksums.txt\n```\n\nYou should see something like the following:\n```sh\ngpg: assuming signed data in 'artifactory-secrets-plugin_0.2.17_checksums.txt'\ngpg: Signature made Mon May  8 14:22:12 2023 PDT\ngpg:                using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD\ngpg: Good signature from \"Alex Hung \u003calexh@jfrog.com\u003e\" [ultimate]\n```\n\nWith the checksums file verified, you can now safely use the SHA256 checkum inside as part of the Vault plugin registration (vs calling `sha256sum`).\n\n### Artifactory\n\n1. Log into the Artifactory UI as an \"admin\".\n1. Create the Access Token that Vault will use to interact with Artifactory. In Artifactory 7.x this can be done in the UI Administration (gear) -\u003e User Management -\u003e Access Tokens -\u003e Generate Token.\n    * Token Type: `Scoped Token`\n    * Description: (optional) `vault-plugin-secrets-artifactory` (NOTE: This will be lost on admin token rotation, because it is not part of the token)\n    * Token Scope: `Admin` **(IMPORTANT)**\n    * User name: `vault-admin` (for example)\n    * Service: `Artifactory` (or you can leave it on \"All\")\n    * Expiration time: `Never` (do not set the expiration time less than `7h`, since by default, it will not be revocable once the expiration is less than 6h)\n1. Save the generated token as the environment variable `TOKEN`\n\nAlternatives:\n\n* Use the [CreateToken REST API][artifactory-create-token], and save the `access_token` from the JSON response as the environment variable `TOKEN`.\n* Use [`getArtifactoryAdminToken.sh`](./scripts/getArtifactoryAdminToken.sh).\n\n    ```sh\n    export JFROG_URL=https://artifactory.example.org\n    export ARTIFACTORY_USERNAME=admin\n    export ARTIFACTORY_PASSWORD=password\n    TOKEN=$(scripts/getArtifactoryAdminToken.sh)\n    ```\n\n### Vault\n\n```sh\nvault write artifactory/config/admin \\\n    url=https://artifactory.example.org \\\n    access_token=$TOKEN\n```\n\n**OPTIONAL**, but recommended: Rotate the admin token, so that only Vault knows it.\n\n```sh\nvault write -f artifactory/config/rotate\n```\n\n\u003e [!NOTE]\n\u003e some versions of artifactory (notably `7.39.10`) fail to rotate correctly. As noted above, we recommend being on `7.42.1` or higher. The token was indeed rotated, but as the error indicates, the old token could not be revoked.\n\n**ALSO** If you want to change the username for the admin token (tired of it just being \"admin\"?) or set a \"Description\" on the token, those parameters are optionally available on the `artifactory/config/rotate` endpoint.\n\n```sh\nvault write artifactory/config/rotate username=\"new-username\" description=\"A token used by vault-secrets-engine on our vault server\"\n```\n\n#### Bypass TLS connection verification with Artifactory\n\nTo bypass TLS connection verification with Artifactory, set `bypass_artifactory_tls_verification` to `true`, e.g.\n\n```sh\nvault write artifactory/config/admin \\\n    url=https://artifactory.example.org \\\n    access_token=$TOKEN \\\n    bypass_artifactory_tls_verification=true\n```\n\nOPTIONAL: Check the results:\n\n```sh\nvault read artifactory/config/admin\n```\n\nExample output:\n\n```console\nKey                                 Value\n---                                 -----\naccess_token_sha256                 74834a86b2082750201e2a1e520f21f7bfc7d4026e5bd2b075ca2d0699b7c4e3\nbypass_artifactory_tls_verification false\nscope                               applied-permissions/admin\ntoken_id                            db0002b0-af08-486c-bbad-b255a3cc7b31\nurl                                 http://localhost:8082\nuse_expiring_tokens                 false\nusername                            vault-admin\nversion                             7.55.6\n```\n\n#### Use expiring tokens\n\nTo enable creation of token that expires using TTL (system default, system max TTL, or config overrides), set `use_expiring_tokens` to `true`, e.g.\n\n```sh\nvault write artifactory/config/admin \\\n    url=https://artifactory.example.org \\\n    access_token=$TOKEN \\\n    use_expiring_tokens=true\n```\n\n#### Enable Scoped down Tokens\n\n\u003e [!WARNING]\n\u003e In order to decouple Artifactory Group maintenance from Vault plugin configuration, you can configure a single role to request Access Tokens for specific groups. This option should be used with extreme care to ensure that your Vault policies are restricting which groups it can request tokens on behalf of.\n\n```sh\nvault write artifactory/config/admin \\\n    url=https://artifactory.example.org \\\n    access_token=$TOKEN \\\n    allow_scope_override=true\n```\n\n## Usage\n\nCreate a role (scope for artifactory \u003e= 7.21.1)\n\n```sh\nvault write artifactory/roles/jenkins \\\n    scope=\"applied-permissions/groups:automation \" \\\n    default_ttl=3600 max_ttl=10800\n```\n\nAlso supports `grant_type=[Optional, default: \"client_credentials\"]`, and `audience=[Optional, default: *@*]` see [JFrog documentation][artifactory-create-token].\n\n\u003e [!NOTE]\n\u003e By default, the username will be generated automatically using the template `v-(RoleName)-(random 8)` (i.e. `v-jenkins-x4mohTA8`). If you would prefer to have a static username (the same for every token), you can set `username=whatever-you-want`, but keep in mind that in a dynamic environment, someone or something using an old, expired token might cause a denial of service (too many failed logins) against users with the correct token.\n\n\u003cdetails\u003e\n\u003csummary\u003eCLICK for: Create a Role (scope for artifactory \u003c 7.21.1)\u003c/summary\u003e\n\n```sh\nvault write artifactory/roles/jenkins \\\n    username=\"example-service-jenkins\" \\\n    scope=\"api:* member-of-groups:ci-server\" \\\n    default_ttl=1h max_ttl=3h\n```\n\n\u003c/details\u003e\n\n\u003e [!NOTE]\n\u003e There are some changes in the **scopes** supported in artifactory request \u003e7.21. Please refer to the JFrog documentation for the same according to the artifactory version.\n\n```sh\nvault list artifactory/roles\n```\n\nExample Output:\n\n```console\nKeys\n----\njenkins\n```\n\n```sh\nvault read artifactory/token/jenkins\n```\n\nExample output (token truncated):\n\n```console\nKey                Value\n---                -----\nlease_id           artifactory/token/jenkins/9hHxV1NlyLzPgmNIzjssRCa9\nlease_duration     1h\nlease_renewable    true\naccess_token       eyJ2ZXIiOiIyIiw...\nrole               jenkins\nscope              applied-permissions/groups:automation\ntoken_id           06d962b2-63e2-4279-a25d-d2a9cab6507f\nusername           v-jenkins-x4mohTA8\n```\n\n### Scoped Access Tokens\n\n\u003e [!IMPORTANT]\n\u003e In order to use this functionality, you must enable `allow_scope_override` when configuring the plugin, see [Enable Scoped down Tokens](#Use-scoped-down-tokens)\n\nCreate a role (scope for artifactory \u003e= 7.21.1)\n\n```sh\nvault write artifactory/roles/jenkins \\\n    username=\"jenkins-vault\"\n    scope=\"applied-permissions/groups:admin\" \\\n    default_ttl=1h max_ttl=3h\n```\n\nRequest Access Token for `test-group`\n\n```sh\nvault read artifactory/token/jenkins scope=applied-permissions/groups:test-group\n```\n\nExample output (token truncated):\n\n```console\nKey                Value\n---                -----\nlease_id           artifactory/token/jenkins/9hHxV1NlyLzPgmNIzjssRCa9\nlease_duration     1h\nlease_renewable    true\naccess_token       eyJ2ZXIiOiIyIiw....\nrole               jenkins\nscope              applied-permissions/groups:test-group\ntoken_id           06d962b2-63e2-4279-a25d-d2a9cab6507f\nusername           v-jenkins-b0ftbTAG\n```\n\nExample Vault Policy\n\n```console\npath \"artifactory/token/jenkins\" {\n  capabilities = [\"read\"],\n  required_parameters = [\"scope\"],\n  allowed_parameters = {\n    \"scope\" = [\"applied-permissions/groups:test-group\"]\n  }\n  denied_parameters = {\n    \"scope\" = [\"applied-permissions/groups:admin\"]\n  }\n}\n```\n\n### User Token Path\n\nUser tokens may be obtained from the `/artifactory/user_token/\u003cuser-name\u003e` endpoint. This is useful in conjunction with [ACL Policy Path Templating](https://developer.hashicorp.com/vault/tutorials/policies/policy-templating) to allow users authenticated to Vault to obtain API tokens in Artfactory for their own account. Be careful to ensure that Vault authentication methods \u0026 policies align with user account names in Artifactory.\n\nFor example the following policy allows users authenticated to the `azure-ad-oidc` authentication mount to obtain a token for Artifactory for themselves, assuming the `upn` metadata is populated in Vault during authentication.\n\n```\npath \"artifactory/user_token/{{identity.entity.aliases.azure-ad-oidc.metadata.upn}}\" {\n  capabilities = [ \"read\" ]\n}\n```\n\nDefault values for the token's `access_token`, `description`, `ttl`, `max_ttl`, `audience`, `refreshable`, `include_reference_token`, and `use_expiring_tokens` may be configured at the `/artifactory/config/user_token` or `/artifactory/config/user_token/\u003cuser-name\u003e` path.\n\n`access_token` field allows the use of user's identity token in place of the admin access token from the `/artifactory/config/admin` path, enabling creating access token scoped to that user only.\n\nTTL rules follow Vault's [general cases](https://developer.hashicorp.com/vault/docs/concepts/tokens#the-general-case) and [token hierarchy](https://developer.hashicorp.com/vault/docs/concepts/tokens#token-hierarchies-and-orphan-tokens). The desired lease TTL will be determined by the most specific TTL value specified with the request ttl parameter being highest precedence, followed by the plugin configuration, secret mount tuning, or system default ttl. The maximum TTL value allowed is limited to the lowest value of the `max_ttl` setting set on the system, secret mount tuning, plugin configuration, or the specific request.\n\nExample Token Configuration:\n\n```console\nvault write artifactory/config/user_token \\\n  default_description=\"Generated by Vault\" \\\n  max_ttl=604800 \\\n  default_ttl=86400\n```\n\n```console\n$ vault read artifactory/config/user_token\nKey                        Value\n---                        -----\naudience                   n/a\ndefault_description        Generated by Vault\ndefault_ttl                24h\ninclude_reference_token    true\nmax_ttl                    168h\nrefreshable                true\nscope                      applied-permissions/user\ntoken_id                   8df5dd21-31ae-4062-bbe5-580a607f5645\nusername                   vault-admin\n```\n\nExample Usage:\n```console\n$ vault read artifactory/user_token/admin description=\"Dev Desktop\"\nKey                Value\n---                -----\nlease_id           artifactory/user_token/admin/4UhTThCwctPGX0TYXeoyoVEt\nlease_duration     24h\nlease_renewable    true\naccess_token       eyJ2Z424242424...\ndescription        Dev Desktop\nreference_token    cmVmdGtu...\nrefresh_token      629299be-...\nscope              applied-permissions/user\ntoken_id           3c6b2e63-87dc-4d26-9698-ffdfb282a6ee\nusername           admin\n```\n\n## References\n\n### Admin Config\n\n| Command | Path |\n| ------- | ---- |\n| write   | artifactory/config/admin |\n| read    | artifactory/config/admin |\n| delete  | artifactory/config/admin |\n\nConfigure the parameters used to connect to the Artifactory server integrated with this backend.\n\nThe two main parameters are `url` which is the absolute URL to the Artifactory server. Note that `/artifactory/api`\nis prepended by the individual calls, so do not include it in the URL here.\n\nThe second is `access_token` which must be an access token enough permissions to generate the other access tokens you'll\nbe using. This value is stored seal wrapped when available. Once set, the access token cannot be retrieved, but the backend\nwill send a sha256 hash of the token so you can compare it to your notes. If the token is a JWT Access Token, it will return\nadditional information such as `jfrog_token_id`, `username` and `scope`.\n\nAn optional `username_template` parameter will override the built-in default username_template for dynamically generating\nusernames if a static one is not provided.\n\nAn optional `bypass_artifactory_tls_verification` parameter will enable bypassing the TLS connection verification with Artifactory.\n\nNo renewals or new tokens will be issued if the backend configuration (config/admin) is deleted.\n\n#### Parameters\n\n* `url` (string) - Address of the Artifactory instance, e.g. https://my.jfrog.io\n* `access_token` (string) - Optional. Administrator token to access Artifactory\n* `username_template` (string) - Optional. Vault Username Template for dynamically generating usernames.\n* `use_expiring_tokens` (boolean) - Optional. If Artifactory version \u003e= 7.50.3, set `expires_in` to `max_ttl` (admin token) or `ttl` (user token) and `force_revocable = true`. Default to `false`.\n* `force_revocable` (boolean) - Optional. When set to true, we will add the `force_revocable` flag to the token's extension. In addition, a new configuration has been added that sets the default for setting the `force_revocable` default when creating a new token - the default of this configuration will be `false` to ensure that the Circle of Trust remains in place.\n* `bypass_artifactory_tls_verification` (boolean) - Optional. Bypass certification verification for TLS connection with Artifactory. Default to `false`.\n* `revoke_on_delete` (boolean) - Optional. Revoke Administrator access token when this configuration is deleted. Default to `false`. Will be set to `true` if token is rotated.\n* `allow_scope_override` (boolean) - Optional. Determine if scoped tokens should be allowed. This is an advanced configuration option. Default to `false`.\n\n#### Example\n\n```console\nvault write artifactory/config/admin url=$JFROG_URL \\\n  access_token=$JFROG_ACCESS_TOKEN \\\n  username_template=\"v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}\" \\\n  use_expiring_tokens=true \\\n  bypass_artifactory_tls_verification=true \\\n  revoke_on_delete=true\n```\n\n### User Token Config\n\n| Command | Path |\n| ------- | ---- |\n| write   | artifactory/user_config |\n| read    | artifactory/user_config |\n| write   | artifactory/user_config/:username |\n| read    | artifactory/user_config/:username |\n\nConfigures default values for the `user_token/:user-name` path. The optional `username` field allows the configuration to be set for specific username.\n\n#### Parameters\n\n* `access_token` (string) - Optional. User identity token to access Artifactory. If `username` is not set then this token will be used for *all* users.\n* `refresh_token` (string) - Optional. Refresh token for the user access token. If `username` is not set then this token will be used for *all* users.\n* `audience` (string) - Optional. See the JFrog Platform REST documentation on [Create Token](https://jfrog.com/help/r/jfrog-rest-apis/create-token) for a full and up to date description. Service ID must begin with valid JFrog service type. Options: jfrt, jfxr, jfpip, jfds, jfmc, jfac, jfevt, jfmd, jfcon, or *. For instructions to retrieve the Artifactory Service ID see this [documentation](https://jfrog.com/help/r/jfrog-rest-apis/get-service-id)\n* `refreshable` (boolean) - Optional. A refreshable access token gets replaced by a new access token, which is not what a consumer of tokens from this backend would be expecting; instead they'd likely just request a new token periodically. Set this to `true` only if your usage requires this. See the JFrog Platform documentation on [Generating Refreshable Tokens](https://jfrog.com/help/r/jfrog-platform-administration-documentation/generating-refreshable-tokens) for a full and up to date description. Defaults to `false`.\n* `include_reference_token` (boolean) - Optional. Generate a Reference Token (alias to Access Token) in addition to the full token (available from Artifactory 7.38.10). A reference token is a shorter, 64-character string, which can be used as a bearer token, a password, or with the `X-JFrog-Art-Api`header. Note: Using the reference token might have performance implications over a full length token. Defaults to `false`.\n* `use_expiring_tokens` (boolean) - Optional. If Artifactory version \u003e= 7.50.3, set `expires_in` to `ttl` and `force_revocable = true`. Defaults to `false`.\n* `force_revocable` (boolean) - Optional. When set to true, we will add the `force_revocable` flag to the token's extension. In addition, a new configuration has been added that sets the default for setting the `force_revocable` default when creating a new token - the default of this configuration will be `false` to ensure that the Circle of Trust remains in place.\n* `default_ttl` (int64) - Optional. Default TTL for issued user access tokens. If unset, uses the backend's `default_ttl`. Cannot exceed `max_ttl`.\n* `default_description` (string) - Optional. Default token description to set in Artifactory for issued user access tokens.\n\n#### Examples\n\n```console\n# Set user token configuration for ALL users\nvault write artifactory/config/user_token \\\n  access_token=\"eyJ2Z...3sT9r6nA\" \\\n  refresh_token=\"4ab...471\" \\\n  default_ttl=60s\n\nvault read artifactory/config/user_token\n\n# Set user token configuration for 'myuser' user\nvault write artifactory/config/user_token/myuser \\\n  access_token=\"eyJ2Z...3sT9r6nA\" \\\n  refresh_token=\"4ab...471\" \\\n  audience=\"jfrt@* jfxr@*\"\n\nvault read artifactory/config/user_token/myuser\n\nvault delete artifactory/config/user_token/myuser\n```\n\n### Role\n\n| Command | Path |\n| ------- | ---- |\n| write   | artifactory/role/:rolename |\n| patch   | artifactory/role/:rolename |\n| read    | artifactory/role/:rolename |\n| delete  | artifactory/role/:rolename |\n\n#### Parameters\n\n* `grant_type` (string) - Optional. Defaults to `client_credentials` when creating the access token. You likely don't need to change this.\n* `username` (string) - Optional. Defaults to using the username_template. The static username for which the access token is created. If the user does not exist, Artifactory will create a transient user. Note that non-administrative access tokens can only create tokens for themselves.\n* `scope` (string) - Space-delimited list. See the JFrog Artifactory REST documentation on [\"Create Token\"](https://jfrog.com/help/r/jfrog-rest-apis/create-token) for a full and up to date description.\n* `refreshable` (boolean) - Optional. A refreshable access token gets replaced by a new access token, which is not what a consumer of tokens from this backend would be expecting; instead they'd likely just request a new token periodically. Set this to `true` only if your usage requires this. See the JFrog Platform documentation on [Generating Refreshable Tokens](https://jfrog.com/help/r/jfrog-platform-administration-documentation/generating-refreshable-tokens) for a full and up to date description. Defaults to `false`.\n* `audience` (string) - Optional. See the JFrog Platform REST documentation on [Create Token](https://jfrog.com/help/r/jfrog-rest-apis/create-token) for a full and up to date description. Service ID must begin with valid JFrog service type. Options: jfrt, jfxr, jfpip, jfds, jfmc, jfac, jfevt, jfmd, jfcon, or *. For instructions to retrieve the Artifactory Service ID see this [documentation](https://jfrog.com/help/r/jfrog-rest-apis/get-service-id)\n* `include_reference_token` (boolean) - Optional. Generate a Reference Token (alias to Access Token) in addition to the full token (available from Artifactory 7.38.10). A reference token is a shorter, 64-character string, which can be used as a bearer token, a password, or with the `X-JFrog-Art-Api`header. Note: Using the reference token might have performance implications over a full length token. Defaults to `false`.\n* `default_ttl` (int64) - Default TTL for issued user access tokens. If unset, uses the backend's `default_ttl`. Cannot exceed `max_ttl`.\n* `max_ttl` (int64) - Maximum TTL that an access token can be renewed for. If unset, uses the backend's `max_ttl`. Cannot exceed backend's `max_ttl`.\n\n#### Examples\n\n```console\nvault write artifactory/roles/test \\\n  scope=\"applied-permissions/groups:readers applied-permissions/groups:ci\" \\\n  max_ttl=3h \\\n  default_ttl=2h\n\nvault read artifactory/roles/test\n\nvault delete artifactory/roles/test\n```\n\n### Admin Token\n\n| Command | Path |\n| ------- | ---- |\n| read    | artifactory/token/:rolename |\n\nCreate an Artifactory access token using paramters from the specified role.\n\n#### Parameters\n\n* `ttl` (int64) - Optional. Override the default TTL when issuing this access token. Cannot exceed smallest (system, backend, role, this request) maximum TTL.\n* `max_ttl` (int64) - Optional. Override the maximum TTL for this access token. Cannot exceed smallest (system, backend) maximum TTL.\n* `scope` (string) - Optional. Override the scope for this access token. Limited to group scope only: `applied-permissions/groups:\u003cgroup-name\u003e[,\u003cgroup-name\u003e...]`. Only applicable when config field `allow_scope_override` is set to `true`.\n\n#### Examples\n\n```console\nvault read artifactory/token/test \\\n  ttl=30m \\\n  max_ttl=1h \\\n  scope=applied-permissions/groups:mygroup\n```\n\n### Rotate Admin Token\n\n| Command | Path |\n| ------- | ---- |\n| write   | artifactory/config/rotate |\n\nThis will rotate the `access_token` used to access artifactory from this plugin. A new access token is created first then revokes the old access token.\n\n#### Examples\n\n```console\nvault write artifactory/config/rotate\n```\n\n### User Token\n\n| Command | Path |\n| ------- | ---- |\n| read    | artifactory/user_token/:username |\n\nProvides optional parameters to override default values for the user_token/:username path\n\n#### Parameters\n\n* `description` (string) - Optional. Override the token description to set in Artifactory for issued user access tokens.\n* `refreshable` (boolean) - Optional. Override the `refreshable` for this access token. Defaults to `false`.\n* `include_reference_token` (boolean) - Optional. Override the `include_reference_token` for this access token. Defaults to `false`.\n* `use_expiring_tokens` (boolean) - Optional. Override the `use_expiring_tokens` for this access token. If Artifactory version \u003e= 7.50.3, set `expires_in` to `ttl` and `force_revocable = true`. Defaults to `false`.\n* `force_revocable` (boolean) - Optional. When set to true, we will add the `force_revocable` flag to the token's extension. In addition, a new configuration has been added that sets the default for setting the `force_revocable` default when creating a new token - the default of this configuration will be `false` to ensure that the Circle of Trust remains in place.\n* `ttl` (int64) - Optional. Override the default TTL when issuing this access token. Cannot exceed smallest (system, backend, role, this request) maximum TTL.\n* `max_ttl` (int64) - Optional. Override the maximum TTL for this access token. Cannot exceed smallest (system, backend) maximum TTL.\n* `scope` (string) - Optional. Override the scope (default: `applied-permissions/user`) for this access token. Limited to group scope only: `applied-permissions/groups:\u003cgroup-name\u003e[,\u003cgroup-name\u003e...]`.\n\n#### Examples\n\n```console\nvault read artifactory/user_token/test_user \\\n  description=\"Refreshable token for Test user\"\n  refreshable=true \\\n  include_reference_token=true \\\n  use_expiring_tokens=true\n```\n\n## Development\n\n### Local Development Prerequisites\n\n* Vault\n  * \u003chttps://developer.hashicorp.com/vault/docs/install\u003e\n  * `brew tap hashicorp/tap`\n    `brew install hashicorp/tap/vault`\n* Golang\n  * \u003chttps://go.dev/doc/install\u003e\n  * `brew install golang`\n* GoReleaser - Used during the build process\n  *  \u003chttps://goreleaser.com/install/\u003e\n  * `brew install goreleaser`\n* Docker - To run a test Artifactory instance (very useful for testing)\n  * \u003chttps://docs.docker.com/get-docker/\u003e\n  * `brew install docker --cask`\n\n### Testing Locally\n\nIf you're compiling this yourself and want to test locally, you will need a working Docker environment. You will also need Vault cli and Golang installed, then you can follow the steps below.\n\n* In first terminal, build the plugin and start the local dev server:\n\n```sh\nmake\n```\n\n* In another terminal, setup a test artifactory instance.\n\n```sh\nmake artifactory\n```\n\n* In the same terminal, setup `artifactory-secrets-engine` in vault with values:\n\n```sh\nexport VAULT_ADDR=http://localhost:8200\nexport VAULT_TOKEN=root\nmake setup\n```\n\n* In the same terminal, you can configure and generate an admin access token:\n\n```sh\nmake admin\n```\n\nGenerate an user token:\n\n```sh\nmake usertoken\n```\n\nNOTE: Each time you rebuild (`make`), vault will restart, so you will need to run `make setup` again, since vault is in dev mode.\n\n* Once you are done testing, you can destroy the local artifactory instance:\n\n```sh\nmake stop_artifactory\n```\n\n### Other Local Development Details\n\nThis section is informational, and is not intended as a step-by-step. If you really want the gory details, checkout [the `Makefile`](./Makefile)\n\n#### Install Vault binary\n\n* You can follow the [Installing Vault](https://developer.hashicorp.com/vault/docs/install) instructions.\n* Alternatively, if you are on MacOS, and have HomeBrew, you can use that:\n\n```sh\nbrew tap hashicorp/tap\nbrew install hashicorp/tap/vault\n```\n\n#### Test with OpenBao binary\n\n*  You can follow the [Installing OpenBao](https://openbao.org/docs/install/) instructions.\n* Export env var `VAULT_CLI=\u003cyour path to bao binary\u003e`, e.g. `export VAULT_CLI=/usr/local/bin/bao`\n* Run makefile as usual `make setup` or `VAULT_CLI=/usr/local/bin/bao make setup`\n\n#### Start Vault dev server\n\n```sh\nmake start\n```\n\n#### Export Vault url and token\n\n```sh\nexport VAULT_ADDR='http://127.0.0.1:8200'\nexport VAULT_TOKEN=root\n```\n\n#### Build plugin binary\n\n```sh\nmake build\n```\n\n#### Upgrade plugin binary\n\nTo build and upgrade the plugin without having to reconfigure it...\n\n```sh\nmake upgrade\n```\n\n#### Create Test Artifactory\n\n```sh\nmake artifactory\n```\n\nSet `ARTIFACTORY_VERSION` to a [specific self hosted version][artifactory-release-notes] to override the default.\n\nExample:\n\n```sh\nmake artifactory ARTIFACTORY_VERSION=7.49.10\n```\n\n\u003e [!NOTE]\n\u003e If you get a message like:\n\u003e\n\u003e```console\n\u003emake: Nothing to be done for `artifactory'.\n\u003e```\n\u003e\n\u003eThis simply means that \"make\" thinks artifactory is \u003ealready running due to the existence of the `./vault/\u003eartifactory.env` file.\n\u003e\n\u003eIf you want to run a different version, first use `make \u003estop_artifactory`. If you stopped artifactory using other \u003emeans (docker), then `rm vault/artifactory.env` manually.\n\n\n#### Register artifactory-secrets plugin with Vault server\n\nIf you didn't run `make upgrade` (i.e. just `make build`), then you need to register the newly built plugin with the Vault server.\n\n```sh\nmake register\n```\n\n#### Enable artifactory-secrets plugin\n\n```sh\nmake enable\n```\n\n#### Disable plugin (unmount from vault)\n\n```sh\nmake disable\n```\n\n\u003e [!NOTE]\n\u003e This is a good idea before stopping artifactory, especially if you plan to change versions of artifactory. Alternatively, just exit vault (Ctrl+c), and it will go back to default state.\n\n#### Get ADMIN Artifactory token and write it to vault\n\n```sh\nmake admin\n```\n\nNOTE: This following might be some useful environment variables:\n\n\u003e * `JFROG_URL`\n\u003e * `ARTIFACTORY_USERNAME`\n\u003e * `ARTIFACTORY_PASSWORD`\n\nFor example:\n\n```sh\nJFROG_URL=https://artifactory.example.org ARTIFACTORY_USERNAME=tommy ARTIFACTORY_PASSWORD='SuperSecret' make admin\n```\n\nIf you already have a `JFROG_ACCESS_TOKEN``, you can skip straight to that too:\n\n```sh\nexport JFROG_URL=https://artifactory.example.com\nexport JFROG_ACCESS_TOKEN=(PASTE YOUR JFROG ADMIN TOKEN)\nmake admin\n```\n\n* Setup a \"test\" role, bound to the \"readers\" group\n\n```sh\nmake testrole\n```\n\n#### Run Acceptance Tests\n\n```sh\nmake acceptance\n```\n\nThis requires the following:\n* A running Artifactory instance\n* Env vars `JFROG_URL` and `JFROG_ACCESS_TOKEN` for the running Artifactory instance be set\n\n## Issues\n\n* RTFACT-22477 - proposing CIDR restrictions on the created access tokens.\n* () - Artifactory 7.39.10 fails to revoke previous token during rotation. Recommend 7.42.1. or higher.\n\n## Contributors\n\nSee the [contribution guide](./CONTRIBUTING.md).\n\n## License\n\nCopyright (c) 2025 JFrog.\n\nApache 2.0 licensed, see [LICENSE][LICENSE] file.\n\n[LICENSE]: ./LICENSE\n[artreleases]: https://github.com/jfrog/vault-plugin-secrets-artifactory/releases\n[vaultdocplugindir]: https://www.vaultproject.io/docs/configuration/index.html#plugin_directory\n[vaultdocplugincatalog]: https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog\n[artifactory-create-token]: https://www.jfrog.com/confluence/display/JFROG/JFrog+Platform+REST+API#JFrogPlatformRESTAPI-CreateToken\n[vault-username-templating]: https://developer.hashicorp.com/vault/docs/concepts/username-templating\n[artifactory-release-notes]: https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes\n[artifactory-token-thresholds]: https://www.jfrog.com/confluence/display/JFROG/Access+Tokens#AccessTokens-UsingtheRevocableandPersistencyThresholds\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fvault-plugin-secrets-artifactory","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjfrog%2Fvault-plugin-secrets-artifactory","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fvault-plugin-secrets-artifactory/lists"}