Allows storing Amazon IAM credentials within the Jenkins Credentials API.
Store Amazon IAM access keys (AWSAccessKeyId and AWSSecretKey) within the Jenkins Credentials API.
Also support IAM Roles and IAM MFA Token.
CloudBees Amazon Web Services Credentials Plugin
Home Page: https://plugins.jenkins.io/aws-credentials/
License: MIT License
The jenkins build does not work anymore after the update to 1.24. The stacktrace message says
com.amazonaws.SdkClientException: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:436)
at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:402)
at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:270)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:178)
at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
at sun.reflect.GeneratedMethodAccessor380.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157)
at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:155)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
at WorkflowScript.run(WorkflowScript:21)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
at sun.reflect.GeneratedMethodAccessor310.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
at com.cloudbees.groovy.cps.Next.step(Next.java:83)
at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$101(SandboxContinuable.java:34)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.lambda$run0$0(SandboxContinuable.java:59)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:58)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:182)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:332)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$200(CpsThreadGroup.java:83)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:244)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:232)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE
This is the relevant part of Jenkinsfile, where the build fails
node('our-node') {
withCredentials([[$class : 'AmazonWebServicesCredentialsBinding', credentialsId: 'CI-development',
accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
try { ... } catch (e) { ... }
}
I tried to set the aws variables "AWS_DEFAULT_REGION", "AWS_REGION" and "REGION" (not sure which one is the correct name) to "eu-central-1" (where the application is to be deployed) at different places
withCredentials([ ... ])
withCredentials
into withEnv(['AWS_REGION=eu-central-1']) { ... }withCredentials
into withAWS(region:'eu-central-1') { ... }withCredentials
into withAWS(region: Region.EU_Frankfurt.toString()) { ... }The latter ones look like this, then
node('our-node') {
withAWS(region: Region.EU_Frankfurt.toString()) {
withCredentials([[$class : 'AmazonWebServicesCredentialsBinding', credentialsId: 'CI-development',
accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
try { ... } catch (e) { ... }
}
}
Both even display the following log before failing the same ways as above
[Pipeline] {
[Pipeline] withAWS
Setting AWS region eu-central-1
[Pipeline] {
[Pipeline] withCredentials
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // withAWS
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
com.amazonaws.SdkClientException: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:436)
at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:402)
at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114)
...
Any help appreciated, as I were forced to downgrade the plugin to 1.23 to get the build working.
Cheers
An error occurred (IncompleteSignature) when calling the GetCallerIdentity operation: 'AKIAVIDUC********/20200128/us-east-1/sts/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=****/20200128/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ca1c27681e5530894c813ad18b8980b06610724e0521b226f***********'.
When using the AWS CLI plugin I am not able to set a default region of us-east-2 in my build jobs.
Steps to reproduce:
Navigate to the Configuration page of the job and, in the Build Environment section, check Setup Amazon Web Services CLI. Choose Default Region.
Expectation:
That this be changed to a free text field, or the drop down be modified to include all regions in aws.
Hi,
It would be awesome if when we use AssumeRole system we could get the ARN in a variable.
My need is that for run terraform or some other tools which are able to assume role by them self I would not need to duplicate the ARN in jenkins and in the tools...
What do you think ?
Cheers
Geoffrey
trying to figure out how to use this in a Jenkinsfile
, finally got it to do something...
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'dev', variable: 'AWS_ACCESS_KEY_ID']]) {
sh "echo this is ${env.AWS_ACCESS_KEY_ID}"
sh "echo this is ${env.AWS_SECRET_ACCESS_KEY}"
}
just displays **** but does not crash the script
Can someone give post a working hello world type code snippet example please?
thanks!
I was considering making a contribution to implement Instance Profiles (See #15) . However, there's no way for me to build this locally - there appears to be missing classes (e.g. Messages) and definitely missing tests.
Is there a different repository I should look at?
When using with Keys, the DisplayName is semi-ugly, but bearable... but when using with Role ARN - the display name gets to be insanely long. Can something be offered as an alternative? Either shorten the ARN or offer to display alternative string (like ID?)
For example, instead of current:
AKIAXXXXXXXXXXXXXXXX:arn:aws:iam::999999999999:role/MY/VERY/LONG/PATH/My-Long-Role-Name
something like one of:
My-Long-Role-Name
My-Long-Role-Name@999999999999
We currently try to set up a Jenkins with amazon ECS build slaves, using the Amazon EC2 Container Service Plugin.
For that, we need to define a AWS User for the Master to connect. But, when we create the User, aws-credentials returns an error: "Unable to execute HTTP request: Connection refused"
Its running fine, when placing the jenkins master outside the area covered by the proxy.
Jenkins is running as a container using https://hub.docker.com/_/jenkins/
The Proxy is configured using the Java opts -Dhttp.proxyHost -Dhttp.proxyPort -Dhttps.proxyHost -Dhttps.proxyPort
We also tried using the jenkins internal method of configuring a Proxy.
Jenkins Log:
`Mar 30, 2016 3:39:08 PM com.amazonaws.http.AmazonHttpClient executeHelper
INFO: Unable to execute HTTP request: Connection refused
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:524)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:131)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:822)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:576)
at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:362)
at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:328)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:307)
at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:12562)
at com.amazonaws.services.ec2.AmazonEC2Client.describeAvailabilityZones(AmazonEC2Client.java:478)
at com.amazonaws.services.ec2.AmazonEC2Client.describeAvailabilityZones(AmazonEC2Client.java:10881)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl$DescriptorImpl.doCheckSecretKey(AWSCredentialsImpl.java:109)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:123)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:514)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Mar 30, 2016 3:39:11 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #38 from /10.252.207.28:35608
Mar 30, 2016 3:39:36 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
WARNING: Connection #37 failed
java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:197)
at java.io.DataInputStream.readUTF(DataInputStream.java:609)
at java.io.DataInputStream.readUTF(DataInputStream.java:564)
at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListener.java:150)
Mar 30, 2016 3:39:41 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
WARNING: Connection #38 failed
java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:197)
at java.io.DataInputStream.readUTF(DataInputStream.java:609)
at java.io.DataInputStream.readUTF(DataInputStream.java:564)
at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListener.java:150)`
Jenkins and plugins versions report:
Jenkins Version: 2.263.4
Plugin Version 1.29
When I place access key and secret access key into add credentials > Kind AWS Credentials I get Auth Failure. This happens regardless of the keys and I've validated the keys are correct.
Issue looks to be in https://github.com/jenkinsci/aws-credentials-plugin/blob/master/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java
AmazonEC2 ec2 = new AmazonEC2Client(awsCredentials, getClientConfiguration()); // TODO better/smarter validation of the credentials instead of verifying the permission on EC2.READ in us-east-1 String region = "us-east-1";<!--EndFragment-->
Region is hard coded to us-east-1 for validation.
Expected result:
Authentication successful
Actual result:
These credentials are NOT valid: "AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: 54876057-08bf-4ef7-85b1-7b8fb516f5bd; Proxy: null)"
Jenkins and plugins versions report:
aws-credentials:latest
Linux
withCredentials([[$class : 'AmazonWebServicesCredentialsBinding',
credentialsId: credentials]])
Expected result:
Jenkins to grab the role and perform AWS tasks
Actual result:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value '' at 'externalId' failed to satisfy constraint: Member must have length greater than or equal to 2 (Service: AWSSecurityTokenService
When adding an AWS Credential to Jenkins that includes a Role ARN, the plugin will only use the commercial STS endpoint (sts.amazonaws.com) to retrieve temporary credentials. This means you cannot specify a Role ARN if you are supplying credentials from a non-commercial partition.
The feature should dynamically select the appropriate STS Endpoint based on the partition of the supplied IAM User.
Note: Simply supplying an IAM User from the China Partition works as expected.
No response
The source link at top of github page broken:
https://wiki.jenkins-ci.org/display/JENKINS/CloudBees+Amazon+Web+Services+Credentials+Plugin
I wish a new field could be added that would store and provide an external ID, if required by the IAM role.
I have credentials configured to use IAM Role.
IAM Role To Use is provided as full ARN (i.e arn:aws:iam::account-id:role/role-name)
The error I have
com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID:
I checked user and role configuration with AWS CLI - it's working as expected (I'm able to use assumed role with CLI)
aws-credentials-plugin version: 1.28.1
We would like to be able to specify the role ARN and role session name at runtime in the call to withCredentials
. That way we can easily leverage multiple roles that are bound the same service user account without having to define those credentials multiple times in Jenkins. For example:
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: awsCredentialsId, roleArn: 'arn:aws:iam::XXXXX:role/my-role', roleSessionName: 'my-session-name']]) {
...
}
Jenkins and plugins versions report:
Jenkins: 2.303.1
OS: Linux - 5.4.129-63.229.amzn2.x86_64
---
ace-editor:1.1
active-directory:2.25
analysis-model-api:10.5.2
anchore-container-scanner:1.0.23
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.3
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.13.2
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:1.32
aws-java-sdk:1.12.89-292.v2712528e879c
aws-java-sdk-cloudformation:1.12.89-292.v2712528e879c
aws-java-sdk-codebuild:1.12.89-292.v2712528e879c
aws-java-sdk-ec2:1.12.89-292.v2712528e879c
aws-java-sdk-ecr:1.12.89-292.v2712528e879c
aws-java-sdk-ecs:1.12.89-292.v2712528e879c
aws-java-sdk-elasticbeanstalk:1.12.89-292.v2712528e879c
aws-java-sdk-iam:1.12.89-292.v2712528e879c
aws-java-sdk-logs:1.12.89-292.v2712528e879c
aws-java-sdk-minimal:1.12.89-292.v2712528e879c
aws-java-sdk-ssm:1.12.89-292.v2712528e879c
blueocean:1.25.0
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.0
blueocean-commons:1.25.0
blueocean-config:1.25.0
blueocean-core-js:1.25.0
blueocean-dashboard:1.25.0
blueocean-display-url:2.4.1
blueocean-events:1.25.0
blueocean-git-pipeline:1.25.0
blueocean-github-pipeline:1.25.0
blueocean-i18n:1.25.0
blueocean-jira:1.25.0
blueocean-jwt:1.25.0
blueocean-personalization:1.25.0
blueocean-pipeline-api-impl:1.25.0
blueocean-pipeline-editor:1.25.0
blueocean-pipeline-scm-api:1.25.0
blueocean-rest:1.25.0
blueocean-rest-impl:1.25.0
blueocean-web:1.25.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.16
command-launcher:1.6
config-file-provider:3.8.1
configuration-as-code:1.54
credentials:2.6.1
credentials-binding:1.27
data-tables-api:1.11.3-1
display-url-api:2.3.5
docker-commons:1.17
docker-java-api:3.1.5.2
docker-swarm:1.11
docker-workflow:1.26
durable-task:1.39
ec2-fleet:2.3.6
echarts-api:5.2.1-2
email-ext:2.84
emailext-template:1.2
extended-choice-parameter:0.82
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
favorite:2.3.3
folder-properties:1.2.1
font-awesome-api:5.15.4-1
forensics-api:1.5.0
git:4.9.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
gitlab-plugin:1.5.22
gradle:1.37.1
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.26
http_request:1.11
ivy:2.1
jackson2-api:2.13.0-226.v0c5dd2d2fd2a
jacoco:3.3.0
javadoc:1.6
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.0
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
job-restrictions:0.8
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.4
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
lockable-resources:2.11
mailer:1.34
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.14
metrics:4.0.2.8
momentjs:1.1.1
okhttp-api:3.14.9
ownership:0.13.0
parameter-separator:1.3
pipeline-aws:1.43
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
prometheus:2.0.10
publish-over:0.22
publish-over-cifs:0.16
publish-over-ssh:1.22
pubsub-light:1.16
rebuild:1.32
repository-connector:2.2.0
schedule-build:0.5.1
scm-api:2.6.5
script-security:1.78
simple-theme-plugin:0.7
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:1.23
throttle-concurrents:2.4
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
uno-choice:2.5.6
variant:1.4
warnings-ng:9.5.1
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
Linux
Expected result:
For 99% of proxies, BASIC auth method is enough. Set ProxyAuthenticationMethods in AWS JAVA SDK accordingly / add configuration option to plugin. When uninitialized, it uses the following list - SPNEGO, KERBEROS, NTLM, DIGEST, BASIC. At least for Kerberos and NTLM there are missing fields in proxy setting, leading to errors in jenkins log and possible proxy account lockout, when hard account locking rules are set.
Actual result:
Actually we have problems when using this plugin with our proxy, leading to account lockouts.
Hi,
I am trying to do a setup where the Jenkins Master which is hosted on AWS tries to connect to AWS APIs using cli. We have been using the IAM User approach and that has worked well and are now trying to move toward the IAM based approach. The IAM role is attached to the instance and when trying the IAM role ARN, I am getting a 403 from STS. Error logs as attached:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 18486065-9d7d-11e9-b24d-0d84d7b24f70)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1389)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1356)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1345)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:528)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:500)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:163)
at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:135)
at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
When using an access key to assume an IAM role, the AWS_SESSION_TOKEN environment variable is not being set.
I was looking through the code, and feel like the issue might be in this file, but I'm not a Java dev, and would appreciate if someone more experienced in that area could please take a look at this.
I'm using a Jenkins Pipeline to provide the credentials to my build. See this pipeline example snippet:
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'aws-creds']]) {
sh 'env'
}
env Output:
+ env
JENKINS_HOME=/var/jenkins_home
no_proxy=127.0.0.1
RUN_CHANGES_DISPLAY_URL=http://localhost:8080/job/aws-infra/18/display/redirect?page=changes
HOSTNAME=95f289c8ae68
NODE_LABELS=master
HUDSON_URL=http://localhost:8080/
SHLVL=0
HOME=/var/jenkins_home
BUILD_URL=http://localhost:8080/job/aws-infra/18/
HUDSON_COOKIE=64220461-ba1b-4309-b4be-1d1a09324522
JENKINS_SERVER_COOKIE=durable-09bfba379178a45fd0395d8babc98540
WORKSPACE=/var/jenkins_home/workspace/aws-infra
JAVA_VERSION=8u121
NODE_NAME=master
CA_CERTIFICATES_JAVA_VERSION=20161107~bpo8+1
EXECUTOR_NUMBER=0
TINI_SHA=fa23d1e20732501c3bb8eeeca423c89ac80ed452
BUILD_DISPLAY_NAME=#18
HUDSON_HOME=/var/jenkins_home
JOB_BASE_NAME=aws-infra
JAVA_DEBIAN_VERSION=8u121-b13-1~bpo8+1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BUILD_ID=18
BUILD_TAG=jenkins-aws-infra-18
LANG=C.UTF-8
JENKINS_URL=http://localhost:8080/
JOB_URL=http://localhost:8080/job/aws-infra/
BUILD_NUMBER=18
RUN_DISPLAY_URL=http://localhost:8080/job/aws-infra/18/display/redirect
AWS_ACCESS_KEY_ID=****
JENKINS_SLAVE_AGENT_PORT=50000
AWS_SECRET_ACCESS_KEY=****
HUDSON_SERVER_COOKIE=23073d19f5a26cc1
JOB_DISPLAY_URL=http://localhost:8080/job/aws-infra/display/redirect
JOB_NAME=aws-infra
COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log
JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
PWD=/var/jenkins_home/workspace/aws-infra
TINI_VERSION=0.9.0
cloudbee aws credentials plugin cannot be disabled
We actually need this for amazon-ecr-plugin
but seems this plugin is actually is the right place. Otherwise it limits usage of ECR in pipelines when EC2 Instance Profile
withRegistry('xyz', 'ecr:credentials-id') {
...
}
Add Instance Profile support to AWSCredentialsImpl
. Change is as simple as that:
method getCredentials()
...
def credProv = InstanceProfileCredentialsProvider.getInstance()
Jenkins and plugins versions report:
Jenkins: 2.303.1
OS: Linux - 5.10.0-8-amd64
---
aws-credentials:1.32
Linux
withCredentials
Expected result:
A nice pipeline like
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'foobar']]) {
// some block
}
or
withCredentials([aws(credentialsId: 'foobar')]) {
// some block
}
(as seen on https://www.jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables)
Actual result:
withCredentials([<object of type com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding>]) {
// some block
}
I tried using it with declarative pipeline and it giving me error.
stage('upload') {
environment {
AN_ACCESS_KEY = credentials('s3-upload-credential')
}
steps {
sh '''
printenv
'''
}
No suitable binding handler could be found for type com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl. Supported types are StandardUsernamePasswordCredentials,FileCredentials,StringCredentials.
If it's not yet possible, what's the recommended workaround?
Credentials configured with a role do not use proxy settings on sts:AssumeRole
call.
To fix, 7904367 needs to be ported to d12ab1d by passing clientConfiguration
on calls to assumeRole:
Relevant stack trace of master node behind proxy using iamRoleArn
hudson.remoting.ProxyException: java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:339)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:142)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
Caused: hudson.remoting.ProxyException: org.apache.http.conn.ConnectTimeoutException: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/52.46.134.192] failed: connect timed out
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
at com.amazonaws.http.conn.$Proxy81.connect(Unknown Source)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1238)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential.getPassword(AmazonECSRegistryCredential.java:128)
at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryTokenSource.convert(AmazonECSRegistryTokenSource.java:55)
at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryTokenSource.convert(AmazonECSRegistryTokenSource.java:41)
at jenkins.authentication.tokens.api.AuthenticationTokens.convert(AuthenticationTokens.java:148)
at jenkins.authentication.tokens.api.AuthenticationTokens.convert(AuthenticationTokens.java:110)
at org.jenkinsci.plugins.docker.commons.credentials.DockerRegistryEndpoint.getToken(DockerRegistryEndpoint.java:185)
at org.jenkinsci.plugins.docker.commons.credentials.DockerRegistryEndpoint.newKeyMaterialFactory(DockerRegistryEndpoint.java:243)
at org.jenkinsci.plugins.docker.workflow.RegistryEndpointStep$Execution.newKeyMaterialFactory(RegistryEndpointStep.java:88)
at org.jenkinsci.plugins.docker.workflow.AbstractEndpointStepExecution.start(AbstractEndpointStepExecution.java:44)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:229)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:153)
at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:48)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at com.cloudbees.groovy.cps.sandbox.DefaultInvoker.methodCall(DefaultInvoker.java:20)
Caused: hudson.remoting.ProxyException: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/52.46.134.192] failed: connect timed out
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1116)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1066)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
OIDC is a great way to get rotating credentials when working with AWS. Hard coding credentials is extremely frowned upon. In the case where Jenkins isn't hosted in AWS, but needs a set of credentials that do rotate, OIDC is an excellent way to do this.
This is what it looks like with github: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
I believe https://github.com/jenkinsci/aws-credentials-plugin/blob/master/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java#L229 would need to take an argument, and possibly use https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/securitytoken/model/AssumeRoleWithWebIdentityRequest.html
The following plugin for jenkins leverages OIDC https://plugins.jenkins.io/oidc-provider/ but it seems not compatable with the aws cloud jenkins plugin
No response
All of the binding implementations in the Credentials Binding Plugin leverage a @Symbol("...")
annotation on their DescriptorImpl
classes. This plugin could easily do the same and allow developers to use a more natural, function-like approach when consuming AWS credentials.
Current impl requires this syntax: [[$class: 'AwsBucketCredentialsBinding', ....]]
Assuming the symbol is awsCredentials, here's what it would look like:
withCredentials([awsCredentials(credentialsId: 'aws-credentials']]) {
sh '...'
}
It would be great to add support for obtaining keys based on AssumeRole
feature. \
I'm thinking about a feature where one could provide the roleArn and other identifiers and the temp tokens are obtained and stored in a named profile based on the instanceProfiles.
This will be useful cross account deployments.
I will be happy to submit a patch if there is enough interest.
None
Our cloud strategy is setup so that each deploy environment is its own AWS account. To provide feedback quickly to our users, we run cloud formation diffs in parallel for each AWS account. This normally works as expected, however we sometimes run into a race condition where the session token is overriden by another task in parallel execution. This results in a security token error from AWS.
I'd like to propose a feature that allows the AWS_SESSION_TOKEN
environment variable to be configurable. Using this plugin in conjunction with withEnv
, we can ensure that each task in parallel execution is using the correct AWS session.
Example:
node('build') {
def tasks = [:]
tasks['1'] = {
withCredentials([[
$class: 'AmazonWebServicesCredentialsBinding',
accessKeyVariable: 'AWS_ACCESS_KEY_ID_DEV',
credentialsId: 'dev-account',
secretKeyVariable: 'AWS_SECRET_ACCESS_KEY_DEV',
sessionTokenVaribale: 'AWS_SESSION_TOKEN_DEV']]
) {
withEnv([
'AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_DEV',
'AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_DEV',
'AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN_DEV'
]) {
//code
}
}
}
tasks['2'] = {
withCredentials([[
$class: 'AmazonWebServicesCredentialsBinding',
accessKeyVariable: 'AWS_ACCESS_KEY_ID_TEST',
credentialsId: 'test-account',
secretKeyVariable: 'AWS_SECRET_ACCESS_KEY_TEST',
sessionTokenVaribale: 'AWS_SESSION_TOKEN_TEST']]
) {
withEnv([
'AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_TEST',
'AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_TEST',
'AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN_TEST'
]) {
//code
}
}
}
parallel tasks
}
When using assume role, this does not set the AWS_STS_ROLE_ARN environment variable. Some applications depend on this (in our case sparkleformation deployment).
Exception searching clusters for credentials=Test, regionName=eu-west-1:com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value 'Jenkins ' at 'roleSessionName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w+=,.@-]* (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 20e28d0c-b8ff-11e9-8b33-4d7def127bc0)
Looks like roleSessionName is wrong, as it includes a whitespace which breaks the assumeRole action. It doesn't happen in other languages. Forcing Jenkins to use en_GB locales (Using locale plugin for example) fixes it.
I get the following error when trying to use Jenkins integrated credentials to authorise AWS operations. We use a role based concept, where one account holds all the users and lets us jump into roles into various (often customer) accounts. When I do it manually with the aws cli, there is no issue and I have definitively double and triple checked that I use the same credentials in both cases and I am running the aws cli from a job in Jenkins running on the exact same slave, with no aws configure or other credentials present.
FATAL: User: arn:aws:iam::xxx:user/xxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxx:role/xxx (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: xxx)
I tried using @alexejk hpi which supposedly fixes some issues in AssumeRole, but to no avail.
My Jenkins is in version 2.60.1 and the plugin has version 1.21, as mentioned with or without pull request #20
Since the last update, the plugin is no longer available from the Jenkins plugins mirrors.
See:
http://updates.jenkins.io/download/plugins/aws-credentials-plugin/latest/aws-credentials-plugin.hpi
http://mirrors.jenkins-ci.org/plugins/aws-credentials-plugin/latest/aws-credentials-plugin.hpi
I am trying this plugin for the first time. When trying to configure the Jenkins job to assume iam role in advanced settings, getting error related to MFA. Whereas MFA is disabled for the user. Also, the trust policy of the role being assumed does not have any condition for MFA specified. Can you please guide what can be wrong.
"There was an error assuming the specified IAM role, a MFA may be required by your organization"
Failure
com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: 70D66789531A94B5; S3 Extended Request ID: l6QrwO1E2nkkzPNN3nmUcu09JjrJhjrxfiNWEiwks6wK0xuZZf0xJ0KT4myVOuQitemUiFniYP4=), S3 Extended Request ID: l6QrwO1E2nkkzPNN3nmUcu09JjrJhjrxfiNWEiwks6wK0xuZZf0xJ0KT4myVOuQitemUiFniYP4=
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4926)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4872)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
at com.amazonaws.services.s3.AmazonS3Client.listBuckets(AmazonS3Client.java:979)
at com.amazonaws.services.s3.AmazonS3Client.listBuckets(AmazonS3Client.java:985)
at
in jenkinsfile groovy i use
withAWSCredentials([ credentialsId: "my-id" ]) {
}
in Jenkins log i see
2020-12-29 14:47:52.287+0000 [id=17291] WARNING c.c.j.p.a.AWSCredentialsImpl#getCredentials: Could not find default region using SDK lookup.
com.amazonaws.SdkClientException: Unable to load region information from any provider in the chain
at com.amazonaws.regions.AwsRegionProviderChain.getRegion(AwsRegionProviderChain.java:59)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:138)
at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential.getPassword(AmazonECSRegistryCredential.java:128)
at com.cloudbees.jenkins.plugins.bitbucket.api.credentials.BitbucketOAuthCredentialMatcher.matches(BitbucketOAuthCredentialMatcher.java:29)
at com.cloudbees.plugins.credentials.matchers.AnyOfMatcher.lambda$matches$0(AnyOfMatcher.java:66)
at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1359)
at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:516)
at com.cloudbees.plugins.credentials.matchers.AnyOfMatcher.matches(AnyOfMatcher.java:66)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
at com.cloudbees.plugins.credentials.CredentialsProvider.getCredentialIds(CredentialsProvider.java:1184)
at com.cloudbees.plugins.credentials.CredentialsProvider.listCredentials(CredentialsProvider.java:484)
at com.cloudbees.plugins.credentials.common.AbstractIdCredentialsListBoxModel.includeMatchingAs(AbstractIdCredentialsListBoxModel.java:499)
at com.cloudbees.jenkins.plugins.bitbucket.endpoints.AbstractBitbucketEndpointDescriptor.doFillCredentialsIdItems(AbstractBitbucketEndpointDescriptor.java:61)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1633)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:561)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.lang.Thread.run(Thread.java:748)
Jenkins and plugins versions report:
Jenkins: 2.319
OS: Linux - 4.14.248-129.473.amzn1.x86_64
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
amazon-ecr:1.6
amazon-ecs:1.24
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-batch:2.8
aws-credentials:1.32
aws-java-sdk:1.11.700
aws-java-sdk-ec2:1.12.101-300.vc09c7be9cb57
aws-java-sdk-minimal:1.12.101-300.vc09c7be9cb57
badge:1.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.20
branch-api:2.7.0
build-timeout:1.20
build-token-root:1.7
bulk-builder:1.5
caffeine-api:2.9.2-29.v717aac953ff3
categorized-view:1.12
checks-api:1.7.2
cloudbees-folder:6.16
command-launcher:1.6
conditional-buildstep:1.4.1
credentials:2.6.2
credentials-binding:1.27
dashboard-view:2.17
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
durable-task:1.39
echarts-api:5.2.1-2
email-ext:2.84
external-monitor-job:1.7
extra-columns:1.24
font-awesome-api:5.15.4-1
ghprb:1.42.2
git:4.8.3
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
google-login:1.6
gradle:1.37.1
groovy:2.4
groovy-postbuild:2.5
handlebars:3.0.8
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jdk-tool:1.5
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:2.7
localization-support:1.1
localization-zh-cn:1.0.24
lockable-resources:2.11
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.12
momentjs:1.1.1
monitoring:1.88.0
naginator:1.18.1
okhttp-api:3.14.9
pam-auth:1.6
parameterized-trigger:2.41
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
plain-credentials:1.7
plugin-usage-plugin:1.2
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.1-1
rebuild:1.32
resource-disposer:0.16
run-condition:1.5
scm-api:2.6.5
script-security:1.78
slack:2.48
snakeyaml-api:1.29.1
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:1.23
subversion:2.15.1
thinBackup:1.10
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.46
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.39
workflow-job:2.41
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
Linux
Expected result:
Able to see the list of ECS Cluster resources based on the IAM Role granted to Jenkins master server.
Actual result:
Cannot retrieve the expected ECS Cluster Resources
The small window inside show errors A Problem occurred while processing the request
Checking the Jenkins System Logs, in turns out there was an issue with java.lang.LinkageError: loader constraint violation: loader (instance of jenkins/util/AntClassLoader) previously initiated loading for a different type with name "com/amazonaws/ClientConfiguration"
. Please refer to log
aws-cloudbess-error.log
Note
Downgrade AWS Credentials Plugins to v1.30, it works properly and can retrieve the expected ECS Cluster Resources
aws-sdk-java
needs to be at least 1.11.704 in order for AWS credentials from a Kubernetes ServiceAccount to be part of the default credentials chain. (See: aws/aws-sdk-java#2136 (comment) ) This would allow Jenkins to be run on e.g. EKS using native AWS credential setup and then assume other roles from there. From the comments, looks like adding aws-java-sdk-sts
is also needed for this.
Jenkins and plugins versions report:
Jenkins: 2.263.3
OS: Linux - 3.10.0-1160.41.1.el7.x86_64
aws-credentials:1.30
credentials:2.5
credentials-binding:1.27
pipeline-aws:1.43
controller: OS: Linux - 3.10.0-1160.41.1.el7.x86_64
agent: Linux RHEL 6.7
withAWS(credentials: 'aws-s3-creds', region: 'us-east-1') {
s3Upload acl: 'Private',
bucket: 'some-bucket',
file: 'bm-test-file2'
}
SYSTEM
- as recommended by jenkinsExpected result:
File uploaded to S3.
If the system is configured to run jobs as SYSTEM the jobs works as expected.
Even granting admin privileges to the user running the job is not sufficient. (And even it did that would defeat the purpose.)
Actual result:
Job fails:
java.lang.RuntimeException: Cannot find a Username with password credential with the ID aws-s3-creds
at de.taimos.pipeline.aws.WithAWSStep$Execution.withCredentials(WithAWSStep.java:372)
at de.taimos.pipeline.aws.WithAWSStep$Execution.start(WithAWSStep.java:301)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:319)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:193)
at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
at jdk.internal.reflect.GeneratedMethodAccessor631.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:163)
at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:158)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
at WorkflowScript.run(WorkflowScript:15)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.delegateAndExecute(ModelInterpreter.groovy:137)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.executeSingleStage(ModelInterpreter.groovy:666)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.catchRequiredContextForNode(ModelInterpreter.groovy:395)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.catchRequiredContextForNode(ModelInterpreter.groovy:393)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.executeSingleStage(ModelInterpreter.groovy:665)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:288)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.toolsBlock(ModelInterpreter.groovy:544)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.toolsBlock(ModelInterpreter.groovy:543)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:276)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:443)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:442)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:275)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withCredentialsBlock(ModelInterpreter.groovy:481)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withCredentialsBlock(ModelInterpreter.groovy:480)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:274)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inDeclarativeAgent(ModelInterpreter.groovy:586)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inDeclarativeAgent(ModelInterpreter.groovy:585)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:272)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.stageInput(ModelInterpreter.groovy:356)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.stageInput(ModelInterpreter.groovy:355)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:261)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inWrappers(ModelInterpreter.groovy:618)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inWrappers(ModelInterpreter.groovy:617)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:259)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:443)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:442)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:254)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:86)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:113)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:83)
at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
at com.cloudbees.groovy.cps.Next.step(Next.java:83)
at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129)
at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:185)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:400)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:96)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:312)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:276)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE
I want to automatically rotate our credentials on a regular basis.
Therefore the corresponding infrastructure exists to perform this change in AWS, but the credentials should be also updated in Jenkins.
I am not able to find a way to perform the credentials change in jenkins in an automated way.
Could you please add a part of the documentation which explains how/which requests to trigger?
Thank you
No response
I tried to use the plugin with aws govcloud and I got this error:
These credentials are NOT valid: "AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: XXXX)"
the plugin does not support govcloud?
thanks!
What I see is the plugin does not support access across multiple AWS accounts.
What I would like is the ability to add multiple accounts and use the role access system.
Why this would support the separation of account duties for Development, Test, and Production.
Use the best practices for Role based authentication, and limit the tools ability per the roles assigned
in the account.
AWS Doc for details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
According to https://faddom.com/accessing-an-amazon-eks-kubernetes-cluster/ and https://github.com/aws/aws-cli/blob/develop/awscli/customizations/eks/get_token.py, it's possible to create an EKS token from current AWS profile.
Furthermore, this token can be wrapped as a secret text credential and can be used by other plugins which need to access AWS EKS without AWS cli.
A use case is to enable the Jenkins Kubernetes plugin to use a remote EKS as dynamic agents pool.
No response
The only relevant line I see is this
environment {
AN_ACCESS_KEY = credentials("${params.ENVIRONMENT}")
}
Where ${params.ENVIRONMENT}
referes to AWS credentials. The credentials work as expected with build succeeding, it's just a warning that is bothersome
I see the variables reported by the warning are set here ->
When adding an AWS Credential to Jenkins that includes a Role ARN, the plugin will only use the commercial STS endpoint (sts.amazonaws.com) to retrieve temporary credentials. This means you cannot specify a Role ARN if you are supplying credentials in a private network where an internet connection is not available.
The feature should dynamically select the appropriate STS Endpoint based region example,
If we try to connect the sts endpoint from the eu-west-1 region and the global endpoint isn't able to connect due to an internet connection it should try to connect region-based endpoint [ sts.eu-west-1.amazonaws.com ].
No response
Currently the plugin does not specify the region when validating credentials, hence it defaults to us-east-1.
I have an access key with a policy restricted to another region (eu-west-1) which fails validation because of this.
Suggesting some kind of parameterization of the region to use, e.g. by using an environment variable possibly set by EnvInject plugin.
Currently this seem pointless? I assume it lets me pick the AWs credentials by ID, using a build parameter.
But, it does not allow anything other that the param name wrapped in ${}
meaning it cannot be dynamic, making it utterly useless.
Add to that, the glaring lack fo documentation, I'm totally stumped.
Paste the output here
Uninstallation is very slow
mn
mn
kln
nothing
no
It would be great if we could leave the access key ID and secret access key blank to assume a role using the EC2 instance profile credentials.
I just installed the latest version of the plugin with the assume role support included from PR #20. I've got an EC2 slave with an IAM role of jenkins-ec2
, and I've created an IAM role called jenkins-role
that I'm trying to get jenkins to assume. I've configured the credentials plugin with no access key or secret, but with a Task Role of my assumable jenkins-role
role. (And I've set up the trust relationship appropriately, so jenkins-role
is assumable by jenkins-ec2
.)
When my job starts, I get this error:
Started by user Jason Hoetger
[EnvInject] - Loading node environment variables.
Building remotely on jenkins-u16-3 (jenkins jenkins-u16) in workspace /home/ubuntu/workspace/assume-role-test
FATAL: The requested metadata is not found at http://169.254.169.254/latest/meta-data/iam/security-credentials/
com.amazonaws.SdkClientException: The requested metadata is not found at http://169.254.169.254/latest/meta-data/iam/security-credentials/
at com.amazonaws.internal.EC2CredentialsUtils.readResource(EC2CredentialsUtils.java:115)
at com.amazonaws.internal.EC2CredentialsUtils.readResource(EC2CredentialsUtils.java:77)
at com.amazonaws.auth.InstanceProfileCredentialsProvider$InstanceMetadataCredentialsEndpointProvider.getCredentialsEndpoint(InstanceProfileCredentialsProvider.java:156)
at com.amazonaws.auth.EC2CredentialsFetcher.fetchCredentials(EC2CredentialsFetcher.java:121)
at com.amazonaws.auth.EC2CredentialsFetcher.getCredentials(EC2CredentialsFetcher.java:82)
at com.amazonaws.auth.InstanceProfileCredentialsProvider.getCredentials(InstanceProfileCredentialsProvider.java:141)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:119)
at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:59)
at hudson.model.Build$BuildExecution.doRun(Build.java:156)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
at hudson.model.Run.execute(Run.java:1729)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:404)
Finished: FAILURE
It looks like it's trying to get metadata from http://169.254.169.254/latest/meta-data/iam/security-credentials/
. When I hop on the box, I can confirm that that URL returns nothing, but adding the role name as indicated in the AWS docs does, in fact, return the appropriate credentials.
In other words, http://169.254.169.254/latest/meta-data/iam/security-credentials/jenkins-ec2
returns the EC2 instance credentials. The jenkins-ec2
role name appears to be missing from the endpoint it's trying to hit.
Any idea why this might be happening? Have I misconfigured my plugin? Is the InstanceProfileCredentialsProvider
from the AWS SDK being properly instantiated and used properly in PR #20?
I'm wondering if it might be better to avoid explicitly instantiating the InstanceProfileCredentialsProvider
and simply allow the AWS SDK to get credentials using its the default provider chain. That would also have the advantage of allowing the assume role support to work with ECS Task Roles, since the AWS SDK already knows how to fetch those credentials using the default provider chain.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.