The jenkins build does not work anymore after the update to 1.24. The stacktrace message says

com.amazonaws.SdkClientException: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
	at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:436)
	at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:402)
	at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
	at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
	at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:270)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:178)
	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
	at sun.reflect.GeneratedMethodAccessor380.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157)
	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:155)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
	at WorkflowScript.run(WorkflowScript:21)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
	at sun.reflect.GeneratedMethodAccessor310.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$101(SandboxContinuable.java:34)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.lambda$run0$0(SandboxContinuable.java:59)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:58)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:182)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:332)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$200(CpsThreadGroup.java:83)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:244)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:232)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE

This is the relevant part of Jenkinsfile, where the build fails

node('our-node') {
        withCredentials([[$class           : 'AmazonWebServicesCredentialsBinding', credentialsId: 'CI-development',
                          accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
            try { ... } catch (e) { ... } 
}

I tried to set the aws variables "AWS_DEFAULT_REGION", "AWS_REGION" and "REGION" (not sure which one is the correct name) to "eu-central-1" (where the application is to be deployed) at different places

• Globally in Jenkins environment settings
• as a parameter within withCredentials([ ... ])
• wrapping withCredentials into withEnv(['AWS_REGION=eu-central-1']) { ... }
• wrapping withCredentials into withAWS(region:'eu-central-1') { ... }
• wrapping withCredentials into withAWS(region: Region.EU_Frankfurt.toString()) { ... }

The latter ones look like this, then

node('our-node') {
    withAWS(region: Region.EU_Frankfurt.toString()) {
        withCredentials([[$class           : 'AmazonWebServicesCredentialsBinding', credentialsId: 'CI-development',
                          accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
            try { ... } catch (e) { ... } 
    }
}

Both even display the following log before failing the same ways as above

[Pipeline] {
[Pipeline] withAWS
Setting AWS region eu-central-1 
 [Pipeline] {
[Pipeline] withCredentials
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // withAWS
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
com.amazonaws.SdkClientException: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
	at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:436)
	at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:402)
	at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
	at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
	at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114)
	...

Any help appreciated, as I were forced to downgrade the plugin to 1.23 to get the build working.

Cheers

• aws sts get-caller-identity

An error occurred (IncompleteSignature) when calling the GetCallerIdentity operation: 'AKIAVIDUC********/20200128/us-east-1/sts/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=****/20200128/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ca1c27681e5530894c813ad18b8980b06610724e0521b226f***********'.

When using the AWS CLI plugin I am not able to set a default region of us-east-2 in my build jobs.

Steps to reproduce:
Navigate to the Configuration page of the job and, in the Build Environment section, check Setup Amazon Web Services CLI. Choose Default Region.

Expectation:
That this be changed to a free text field, or the drop down be modified to include all regions in aws.

Hi,

It would be awesome if when we use AssumeRole system we could get the ARN in a variable.

My need is that for run terraform or some other tools which are able to assume role by them self I would not need to duplicate the ARN in jenkins and in the tools...

What do you think ?

Cheers
Geoffrey

trying to figure out how to use this in a Jenkinsfile, finally got it to do something...

       withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'dev', variable: 'AWS_ACCESS_KEY_ID']]) {
               sh "echo this is ${env.AWS_ACCESS_KEY_ID}"
               sh "echo this is ${env.AWS_SECRET_ACCESS_KEY}"
       }

just displays **** but does not crash the script

Can someone give post a working hello world type code snippet example please?
thanks!

I was considering making a contribution to implement Instance Profiles (See #15) . However, there's no way for me to build this locally - there appears to be missing classes (e.g. Messages) and definitely missing tests.

Is there a different repository I should look at?

When using with Keys, the DisplayName is semi-ugly, but bearable... but when using with Role ARN - the display name gets to be insanely long. Can something be offered as an alternative? Either shorten the ARN or offer to display alternative string (like ID?)

For example, instead of current:

AKIAXXXXXXXXXXXXXXXX:arn:aws:iam::999999999999:role/MY/VERY/LONG/PATH/My-Long-Role-Name

something like one of:

• My-Long-Role-Name
• My-Long-Role-Name@999999999999
• (or, like i said, just offer a custom field?)

We currently try to set up a Jenkins with amazon ECS build slaves, using the Amazon EC2 Container Service Plugin.
For that, we need to define a AWS User for the Master to connect. But, when we create the User, aws-credentials returns an error: "Unable to execute HTTP request: Connection refused"
Its running fine, when placing the jenkins master outside the area covered by the proxy.
Jenkins is running as a container using https://hub.docker.com/_/jenkins/
The Proxy is configured using the Java opts -Dhttp.proxyHost -Dhttp.proxyPort -Dhttps.proxyHost -Dhttps.proxyPort
We also tried using the jenkins internal method of configuring a Proxy.

Jenkins Log:
`Mar 30, 2016 3:39:08 PM com.amazonaws.http.AmazonHttpClient executeHelper
INFO: Unable to execute HTTP request: Connection refused
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:524)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:131)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:822)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:576)
at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:362)
at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:328)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:307)
at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:12562)
at com.amazonaws.services.ec2.AmazonEC2Client.describeAvailabilityZones(AmazonEC2Client.java:478)
at com.amazonaws.services.ec2.AmazonEC2Client.describeAvailabilityZones(AmazonEC2Client.java:10881)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl$DescriptorImpl.doCheckSecretKey(AWSCredentialsImpl.java:109)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:123)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:514)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Mar 30, 2016 3:39:11 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #38 from /10.252.207.28:35608
Mar 30, 2016 3:39:36 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
WARNING: Connection #37 failed
java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:197)
at java.io.DataInputStream.readUTF(DataInputStream.java:609)
at java.io.DataInputStream.readUTF(DataInputStream.java:564)
at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListener.java:150)

Mar 30, 2016 3:39:41 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
WARNING: Connection #38 failed
java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:197)
at java.io.DataInputStream.readUTF(DataInputStream.java:609)
at java.io.DataInputStream.readUTF(DataInputStream.java:564)
at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListener.java:150)`

Version report

Jenkins and plugins versions report:
Jenkins Version: 2.263.4
Plugin Version 1.29

• What Operating System are you using (both controller, and any agents involved in the problem)?
  Host EC2 is RedHat
  Running on Docker container
  Docker version 19.03.8

Reproduction steps

When I place access key and secret access key into add credentials > Kind AWS Credentials I get Auth Failure. This happens regardless of the keys and I've validated the keys are correct.

Issue looks to be in https://github.com/jenkinsci/aws-credentials-plugin/blob/master/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java

        // TODO better/smarter validation of the credentials instead of verifying the permission on EC2.READ in us-east-1            String region = "us-east-1";<!--EndFragment-->

Region is hard coded to us-east-1 for validation.

Results

Expected result:

Authentication successful

Actual result:

These credentials are NOT valid: "AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: 54876057-08bf-4ef7-85b1-7b8fb516f5bd; Proxy: null)"

Version report

Jenkins and plugins versions report:

aws-credentials:latest

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

• Step 1: Create a new credentials that will take an IAM role without external Id

• Step 2: In the pipeline

withCredentials([[$class       : 'AmazonWebServicesCredentialsBinding',
                                    credentialsId: credentials]])

Results

Expected result:

Jenkins to grab the role and perform AWS tasks

Actual result:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value '' at 'externalId' failed to satisfy constraint: Member must have length greater than or equal to 2 (Service: AWSSecurityTokenService

@kohsuke It should be unacceptable that @andresrc can publish a plugin to jenkinssci without proper documentation. Can someone please add proper documentation that includes a job config example, as well as a declarative and scripted example?

I had to find the information in this issue: #22

What feature do you want to see added?

When adding an AWS Credential to Jenkins that includes a Role ARN, the plugin will only use the commercial STS endpoint (sts.amazonaws.com) to retrieve temporary credentials. This means you cannot specify a Role ARN if you are supplying credentials from a non-commercial partition.

The feature should dynamically select the appropriate STS Endpoint based on the partition of the supplied IAM User.

Note: Simply supplying an IAM User from the China Partition works as expected.

Upstream changes

No response

The source link at top of github page broken:
https://wiki.jenkins-ci.org/display/JENKINS/CloudBees+Amazon+Web+Services+Credentials+Plugin

I wish a new field could be added that would store and provide an external ID, if required by the IAM role.

I have credentials configured to use IAM Role.
IAM Role To Use is provided as full ARN (i.e arn:aws:iam::account-id:role/role-name)

The error I have
com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID:

I checked user and role configuration with AWS CLI - it's working as expected (I'm able to use assumed role with CLI)

aws-credentials-plugin version: 1.28.1

We would like to be able to specify the role ARN and role session name at runtime in the call to withCredentials. That way we can easily leverage multiple roles that are bound the same service user account without having to define those credentials multiple times in Jenkins. For example:

withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: awsCredentialsId, roleArn: 'arn:aws:iam::XXXXX:role/my-role', roleSessionName: 'my-session-name']]) {
    ...
}

Version report

Jenkins and plugins versions report:

Jenkins: 2.303.1
OS: Linux - 5.4.129-63.229.amzn2.x86_64
---
ace-editor:1.1
active-directory:2.25
analysis-model-api:10.5.2
anchore-container-scanner:1.0.23
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.3
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.13.2
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:1.32
aws-java-sdk:1.12.89-292.v2712528e879c
aws-java-sdk-cloudformation:1.12.89-292.v2712528e879c
aws-java-sdk-codebuild:1.12.89-292.v2712528e879c
aws-java-sdk-ec2:1.12.89-292.v2712528e879c
aws-java-sdk-ecr:1.12.89-292.v2712528e879c
aws-java-sdk-ecs:1.12.89-292.v2712528e879c
aws-java-sdk-elasticbeanstalk:1.12.89-292.v2712528e879c
aws-java-sdk-iam:1.12.89-292.v2712528e879c
aws-java-sdk-logs:1.12.89-292.v2712528e879c
aws-java-sdk-minimal:1.12.89-292.v2712528e879c
aws-java-sdk-ssm:1.12.89-292.v2712528e879c
blueocean:1.25.0
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.0
blueocean-commons:1.25.0
blueocean-config:1.25.0
blueocean-core-js:1.25.0
blueocean-dashboard:1.25.0
blueocean-display-url:2.4.1
blueocean-events:1.25.0
blueocean-git-pipeline:1.25.0
blueocean-github-pipeline:1.25.0
blueocean-i18n:1.25.0
blueocean-jira:1.25.0
blueocean-jwt:1.25.0
blueocean-personalization:1.25.0
blueocean-pipeline-api-impl:1.25.0
blueocean-pipeline-editor:1.25.0
blueocean-pipeline-scm-api:1.25.0
blueocean-rest:1.25.0
blueocean-rest-impl:1.25.0
blueocean-web:1.25.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.16
command-launcher:1.6
config-file-provider:3.8.1
configuration-as-code:1.54
credentials:2.6.1
credentials-binding:1.27
data-tables-api:1.11.3-1
display-url-api:2.3.5
docker-commons:1.17
docker-java-api:3.1.5.2
docker-swarm:1.11
docker-workflow:1.26
durable-task:1.39
ec2-fleet:2.3.6
echarts-api:5.2.1-2
email-ext:2.84
emailext-template:1.2
extended-choice-parameter:0.82
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
favorite:2.3.3
folder-properties:1.2.1
font-awesome-api:5.15.4-1
forensics-api:1.5.0
git:4.9.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
gitlab-plugin:1.5.22
gradle:1.37.1
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.26
http_request:1.11
ivy:2.1
jackson2-api:2.13.0-226.v0c5dd2d2fd2a
jacoco:3.3.0
javadoc:1.6
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.0
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
job-restrictions:0.8
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.4
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
lockable-resources:2.11
mailer:1.34
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.14
metrics:4.0.2.8
momentjs:1.1.1
okhttp-api:3.14.9
ownership:0.13.0
parameter-separator:1.3
pipeline-aws:1.43
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
prometheus:2.0.10
publish-over:0.22
publish-over-cifs:0.16
publish-over-ssh:1.22
pubsub-light:1.16
rebuild:1.32
repository-connector:2.2.0
schedule-build:0.5.1
scm-api:2.6.5
script-security:1.78
simple-theme-plugin:0.7
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:1.23
throttle-concurrents:2.4
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
uno-choice:2.5.6
variant:1.4
warnings-ng:9.5.1
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

• Install fresh Jenkins
• Install proxy with NTLM/KERBEROS/BASIC auth methods
• Create AWS IAM role, IAM user and setup AssumeRole in this plugin
• Set proxy in Jenkins
• Set proxy account locking rules to small number
• Try to use AWS credentials, see Jenkins log. Lot of messages regarding NTLM/Kerberos realm/domain missing will be logged, proxy account will become locked out

Results

Expected result:

For 99% of proxies, BASIC auth method is enough. Set ProxyAuthenticationMethods in AWS JAVA SDK accordingly / add configuration option to plugin. When uninitialized, it uses the following list - SPNEGO, KERBEROS, NTLM, DIGEST, BASIC. At least for Kerberos and NTLM there are missing fields in proxy setting, leading to errors in jenkins log and possible proxy account lockout, when hard account locking rules are set.

Actual result:

Actually we have problems when using this plugin with our proxy, leading to account lockouts.

Hi,

I am trying to do a setup where the Jenkins Master which is hosted on AWS tries to connect to AWS APIs using cli. We have been using the IAM User approach and that has worked well and are now trying to move toward the IAM based approach. The IAM role is attached to the instance and when trying the IAM role ARN, I am getting a 403 from STS. Error logs as attached:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 18486065-9d7d-11e9-b24d-0d84d7b24f70)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1389)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1356)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1345)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:528)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:500)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:163)
at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:135)
at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)

When using an access key to assume an IAM role, the AWS_SESSION_TOKEN environment variable is not being set.

I was looking through the code, and feel like the issue might be in this file, but I'm not a Java dev, and would appreciate if someone more experienced in that area could please take a look at this.

I'm using a Jenkins Pipeline to provide the credentials to my build. See this pipeline example snippet:

withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'aws-creds']]) {
  sh 'env'
}

env Output:

+ env
JENKINS_HOME=/var/jenkins_home
no_proxy=127.0.0.1
RUN_CHANGES_DISPLAY_URL=http://localhost:8080/job/aws-infra/18/display/redirect?page=changes
HOSTNAME=95f289c8ae68
NODE_LABELS=master
HUDSON_URL=http://localhost:8080/
SHLVL=0
HOME=/var/jenkins_home
BUILD_URL=http://localhost:8080/job/aws-infra/18/
HUDSON_COOKIE=64220461-ba1b-4309-b4be-1d1a09324522
JENKINS_SERVER_COOKIE=durable-09bfba379178a45fd0395d8babc98540
WORKSPACE=/var/jenkins_home/workspace/aws-infra
JAVA_VERSION=8u121
NODE_NAME=master
CA_CERTIFICATES_JAVA_VERSION=20161107~bpo8+1
EXECUTOR_NUMBER=0
TINI_SHA=fa23d1e20732501c3bb8eeeca423c89ac80ed452
BUILD_DISPLAY_NAME=#18
HUDSON_HOME=/var/jenkins_home
JOB_BASE_NAME=aws-infra
JAVA_DEBIAN_VERSION=8u121-b13-1~bpo8+1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BUILD_ID=18
BUILD_TAG=jenkins-aws-infra-18
LANG=C.UTF-8
JENKINS_URL=http://localhost:8080/
JOB_URL=http://localhost:8080/job/aws-infra/
BUILD_NUMBER=18
RUN_DISPLAY_URL=http://localhost:8080/job/aws-infra/18/display/redirect
AWS_ACCESS_KEY_ID=****
JENKINS_SLAVE_AGENT_PORT=50000
AWS_SECRET_ACCESS_KEY=****
HUDSON_SERVER_COOKIE=23073d19f5a26cc1
JOB_DISPLAY_URL=http://localhost:8080/job/aws-infra/display/redirect
JOB_NAME=aws-infra
COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log
JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
PWD=/var/jenkins_home/workspace/aws-infra
TINI_VERSION=0.9.0

cloudbee aws credentials plugin cannot be disabled

We actually need this for amazon-ecr-plugin but seems this plugin is actually is the right place. Otherwise it limits usage of ECR in pipelines when EC2 Instance Profile

withRegistry('xyz', 'ecr:credentials-id') {
...
}

Add Instance Profile support to AWSCredentialsImpl. Change is as simple as that:

method getCredentials()
...
def credProv = InstanceProfileCredentialsProvider.getInstance()

Version report

Jenkins and plugins versions report:

Jenkins: 2.303.1
OS: Linux - 5.10.0-8-amd64
---
aws-credentials:1.32

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

• Go to the pipeline snippet generator
• Select withCredentials
• Select an AWS credential
• Hit "Generate pipeline script"

Results

Expected result:

A nice pipeline like

withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', credentialsId: 'foobar']]) {
    // some block
}

or

withCredentials([aws(credentialsId: 'foobar')]) {
    // some block
}

(as seen on https://www.jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables)

Actual result:

withCredentials([<object of type com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding>]) {
    // some block
}

I tried using it with declarative pipeline and it giving me error.

    stage('upload') {
      environment { 
        AN_ACCESS_KEY = credentials('s3-upload-credential') 
      }

      steps {
        sh '''
          printenv
          '''
      }

No suitable binding handler could be found for type com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl. Supported types are StandardUsernamePasswordCredentials,FileCredentials,StringCredentials.

If it's not yet possible, what's the recommended workaround?

Credentials configured with a role do not use proxy settings on sts:AssumeRole call.

To fix, 7904367 needs to be ported to d12ab1d by passing clientConfiguration on calls to assumeRole:

Relevant stack trace of master node behind proxy using iamRoleArn

hudson.remoting.ProxyException: java.net.SocketTimeoutException: connect timed out
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:339)
	at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:142)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
Caused: hudson.remoting.ProxyException: org.apache.http.conn.ConnectTimeoutException: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/52.46.134.192] failed: connect timed out
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
	at com.amazonaws.http.conn.$Proxy81.connect(Unknown Source)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1238)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
	at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)
	at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential.getPassword(AmazonECSRegistryCredential.java:128)
	at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryTokenSource.convert(AmazonECSRegistryTokenSource.java:55)
	at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryTokenSource.convert(AmazonECSRegistryTokenSource.java:41)
	at jenkins.authentication.tokens.api.AuthenticationTokens.convert(AuthenticationTokens.java:148)
	at jenkins.authentication.tokens.api.AuthenticationTokens.convert(AuthenticationTokens.java:110)
	at org.jenkinsci.plugins.docker.commons.credentials.DockerRegistryEndpoint.getToken(DockerRegistryEndpoint.java:185)
	at org.jenkinsci.plugins.docker.commons.credentials.DockerRegistryEndpoint.newKeyMaterialFactory(DockerRegistryEndpoint.java:243)
	at org.jenkinsci.plugins.docker.workflow.RegistryEndpointStep$Execution.newKeyMaterialFactory(RegistryEndpointStep.java:88)
	at org.jenkinsci.plugins.docker.workflow.AbstractEndpointStepExecution.start(AbstractEndpointStepExecution.java:44)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:229)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:153)
	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:48)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
	at com.cloudbees.groovy.cps.sandbox.DefaultInvoker.methodCall(DefaultInvoker.java:20)
Caused: hudson.remoting.ProxyException: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/52.46.134.192] failed: connect timed out
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1116)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1066)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
	at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:124)

What feature do you want to see added?

OIDC is a great way to get rotating credentials when working with AWS. Hard coding credentials is extremely frowned upon. In the case where Jenkins isn't hosted in AWS, but needs a set of credentials that do rotate, OIDC is an excellent way to do this.

This is what it looks like with github: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

I believe https://github.com/jenkinsci/aws-credentials-plugin/blob/master/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java#L229 would need to take an argument, and possibly use https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/securitytoken/model/AssumeRoleWithWebIdentityRequest.html

The following plugin for jenkins leverages OIDC https://plugins.jenkins.io/oidc-provider/ but it seems not compatable with the aws cloud jenkins plugin

Upstream changes

No response

All of the binding implementations in the Credentials Binding Plugin leverage a @Symbol("...") annotation on their DescriptorImpl classes. This plugin could easily do the same and allow developers to use a more natural, function-like approach when consuming AWS credentials.

1. Current impl requires this syntax: [[$class: 'AwsBucketCredentialsBinding', ....]]

2. Assuming the symbol is awsCredentials, here's what it would look like:

    withCredentials([awsCredentials(credentialsId: 'aws-credentials']]) {
        sh '...'
    }

It would be great to add support for obtaining keys based on AssumeRole feature. \

I'm thinking about a feature where one could provide the roleArn and other identifiers and the temp tokens are obtained and stored in a named profile based on the instanceProfiles.
This will be useful cross account deployments.

I will be happy to submit a patch if there is enough interest.

Dependencies

None

Feature Request

Our cloud strategy is setup so that each deploy environment is its own AWS account. To provide feedback quickly to our users, we run cloud formation diffs in parallel for each AWS account. This normally works as expected, however we sometimes run into a race condition where the session token is overriden by another task in parallel execution. This results in a security token error from AWS.

I'd like to propose a feature that allows the AWS_SESSION_TOKEN environment variable to be configurable. Using this plugin in conjunction with withEnv, we can ensure that each task in parallel execution is using the correct AWS session.

Example:

node('build') {
    def tasks = [:]
    tasks['1'] = {
       withCredentials([[
         $class: 'AmazonWebServicesCredentialsBinding', 
         accessKeyVariable: 'AWS_ACCESS_KEY_ID_DEV', 
         credentialsId: 'dev-account', 
         secretKeyVariable: 'AWS_SECRET_ACCESS_KEY_DEV',
         sessionTokenVaribale: 'AWS_SESSION_TOKEN_DEV']]
       ) {
           withEnv([
             'AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_DEV',
             'AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_DEV',
             'AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN_DEV'
           ]) {
            //code
          }
        }
    }
    tasks['2'] = {
       withCredentials([[
         $class: 'AmazonWebServicesCredentialsBinding', 
         accessKeyVariable: 'AWS_ACCESS_KEY_ID_TEST', 
         credentialsId: 'test-account', 
         secretKeyVariable: 'AWS_SECRET_ACCESS_KEY_TEST',
         sessionTokenVaribale: 'AWS_SESSION_TOKEN_TEST']]
       ) {
           withEnv([
             'AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_TEST',
             'AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_TEST',
             'AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN_TEST'
           ]) {
            //code
          }
        }
    }
    parallel tasks
}

When using assume role, this does not set the AWS_STS_ROLE_ARN environment variable. Some applications depend on this (in our case sparkleformation deployment).

Exception searching clusters for credentials=Test, regionName=eu-west-1:com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value 'Jenkins ' at 'roleSessionName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w+=,.@-]* (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 20e28d0c-b8ff-11e9-8b33-4d7def127bc0)

Looks like roleSessionName is wrong, as it includes a whitespace which breaks the assumeRole action. It doesn't happen in other languages. Forcing Jenkins to use en_GB locales (Using locale plugin for example) fixes it.

This is the Jenkins file which contains the bad property

I get the following error when trying to use Jenkins integrated credentials to authorise AWS operations. We use a role based concept, where one account holds all the users and lets us jump into roles into various (often customer) accounts. When I do it manually with the aws cli, there is no issue and I have definitively double and triple checked that I use the same credentials in both cases and I am running the aws cli from a job in Jenkins running on the exact same slave, with no aws configure or other credentials present.

FATAL: User: arn:aws:iam::xxx:user/xxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxx:role/xxx (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: xxx)

I tried using @alexejk hpi which supposedly fixes some issues in AssumeRole, but to no avail.

My Jenkins is in version 2.60.1 and the plugin has version 1.21, as mentioned with or without pull request #20

Since the last update, the plugin is no longer available from the Jenkins plugins mirrors.

See:
http://updates.jenkins.io/download/plugins/aws-credentials-plugin/latest/aws-credentials-plugin.hpi
http://mirrors.jenkins-ci.org/plugins/aws-credentials-plugin/latest/aws-credentials-plugin.hpi

I am trying this plugin for the first time. When trying to configure the Jenkins job to assume iam role in advanced settings, getting error related to MFA. Whereas MFA is disabled for the user. Also, the trust policy of the role being assumed does not have any condition for MFA specified. Can you please guide what can be wrong.

"There was an error assuming the specified IAM role, a MFA may be required by your organization"

Tried to upgrade to 1.27 but it fails:

Failure
com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: 70D66789531A94B5; S3 Extended Request ID: l6QrwO1E2nkkzPNN3nmUcu09JjrJhjrxfiNWEiwks6wK0xuZZf0xJ0KT4myVOuQitemUiFniYP4=), S3 Extended Request ID: l6QrwO1E2nkkzPNN3nmUcu09JjrJhjrxfiNWEiwks6wK0xuZZf0xJ0KT4myVOuQitemUiFniYP4=
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4926)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4872)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
at com.amazonaws.services.s3.AmazonS3Client.listBuckets(AmazonS3Client.java:979)
at com.amazonaws.services.s3.AmazonS3Client.listBuckets(AmazonS3Client.java:985)
at

in jenkinsfile groovy i use

withAWSCredentials([ credentialsId: "my-id" ]) {
}

in Jenkins log i see

2020-12-29 14:47:52.287+0000 [id=17291] WARNING c.c.j.p.a.AWSCredentialsImpl#getCredentials: Could not find default region using SDK lookup.
com.amazonaws.SdkClientException: Unable to load region information from any provider in the chain
at com.amazonaws.regions.AwsRegionProviderChain.getRegion(AwsRegionProviderChain.java:59)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:138)
at com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential.getPassword(AmazonECSRegistryCredential.java:128)
at com.cloudbees.jenkins.plugins.bitbucket.api.credentials.BitbucketOAuthCredentialMatcher.matches(BitbucketOAuthCredentialMatcher.java:29)
at com.cloudbees.plugins.credentials.matchers.AnyOfMatcher.lambda$matches$0(AnyOfMatcher.java:66)
at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1359)
at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:516)
at com.cloudbees.plugins.credentials.matchers.AnyOfMatcher.matches(AnyOfMatcher.java:66)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
at com.cloudbees.plugins.credentials.CredentialsProvider.getCredentialIds(CredentialsProvider.java:1184)
at com.cloudbees.plugins.credentials.CredentialsProvider.listCredentials(CredentialsProvider.java:484)
at com.cloudbees.plugins.credentials.common.AbstractIdCredentialsListBoxModel.includeMatchingAs(AbstractIdCredentialsListBoxModel.java:499)
at com.cloudbees.jenkins.plugins.bitbucket.endpoints.AbstractBitbucketEndpointDescriptor.doFillCredentialsIdItems(AbstractBitbucketEndpointDescriptor.java:61)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1633)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1609)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:561)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.lang.Thread.run(Thread.java:748)

Version report

Jenkins and plugins versions report:

Jenkins: 2.319
OS: Linux - 4.14.248-129.473.amzn1.x86_64
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
amazon-ecr:1.6
amazon-ecs:1.24
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-batch:2.8
aws-credentials:1.32
aws-java-sdk:1.11.700
aws-java-sdk-ec2:1.12.101-300.vc09c7be9cb57
aws-java-sdk-minimal:1.12.101-300.vc09c7be9cb57
badge:1.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.20
branch-api:2.7.0
build-timeout:1.20
build-token-root:1.7
bulk-builder:1.5
caffeine-api:2.9.2-29.v717aac953ff3
categorized-view:1.12
checks-api:1.7.2
cloudbees-folder:6.16
command-launcher:1.6
conditional-buildstep:1.4.1
credentials:2.6.2
credentials-binding:1.27
dashboard-view:2.17
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
durable-task:1.39
echarts-api:5.2.1-2
email-ext:2.84
external-monitor-job:1.7
extra-columns:1.24
font-awesome-api:5.15.4-1
ghprb:1.42.2
git:4.8.3
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
google-login:1.6
gradle:1.37.1
groovy:2.4
groovy-postbuild:2.5
handlebars:3.0.8
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jdk-tool:1.5
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:2.7
localization-support:1.1
localization-zh-cn:1.0.24
lockable-resources:2.11
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.12
momentjs:1.1.1
monitoring:1.88.0
naginator:1.18.1
okhttp-api:3.14.9
pam-auth:1.6
parameterized-trigger:2.41
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
plain-credentials:1.7
plugin-usage-plugin:1.2
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.1-1
rebuild:1.32
resource-disposer:0.16
run-condition:1.5
scm-api:2.6.5
script-security:1.78
slack:2.48
snakeyaml-api:1.29.1
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:1.23
subversion:2.15.1
thinBackup:1.10
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.46
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.39
workflow-job:2.41
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux 

Reproduction steps

• Clean Jenkins install v2.319
• Using AWS Credentials Plugins v1.32
• Assigned IAM Role for Jenkins master instance (AWS EC2) to be able to get information for a AWS ECS Cluster (ListContainerInstances and DescribeContainerInstances)
• Install Amazon Elastic Container Service (ECS) / Fargate (https://plugins.jenkins.io/amazon-ecs/) v1.24
• Go to Manage Jenkins -> Configure System -> Configure Clouds -> Click on Add a new cloud

Results

Expected result:

Able to see the list of ECS Cluster resources based on the IAM Role granted to Jenkins master server.

Actual result:

• Cannot retrieve the expected ECS Cluster Resources

• The small window inside show errors A Problem occurred while processing the request
  

• Checking the Jenkins System Logs, in turns out there was an issue with java.lang.LinkageError: loader constraint violation: loader (instance of jenkins/util/AntClassLoader) previously initiated loading for a different type with name "com/amazonaws/ClientConfiguration". Please refer to log
  aws-cloudbess-error.log

Note
Downgrade AWS Credentials Plugins to v1.30, it works properly and can retrieve the expected ECS Cluster Resources

aws-sdk-java needs to be at least 1.11.704 in order for AWS credentials from a Kubernetes ServiceAccount to be part of the default credentials chain. (See: aws/aws-sdk-java#2136 (comment) ) This would allow Jenkins to be run on e.g. EKS using native AWS credential setup and then assume other roles from there. From the comments, looks like adding aws-java-sdk-sts is also needed for this.

Version report

Jenkins and plugins versions report:

Jenkins: 2.263.3
OS: Linux - 3.10.0-1160.41.1.el7.x86_64
aws-credentials:1.30
credentials:2.5
credentials-binding:1.27
pipeline-aws:1.43

• What Operating System are you using (both controller, and any agents involved in the problem)?

controller: OS: Linux - 3.10.0-1160.41.1.el7.x86_64
agent: Linux RHEL 6.7 

Reproduction steps

• Store AWS credentials in jenkins (I tested using both username/password credentials and AWS credentials)
• Create a job to use these credentials:

                withAWS(credentials: 'aws-s3-creds', region: 'us-east-1') {
                    s3Upload acl: 'Private', 
                        bucket: 'some-bucket', 
                        file: 'bm-test-file2'
                }

• Configure jenkins to NOT run jobs as user SYSTEM - as recommended by jenkins
• Ensure the user configured has permission to view the credentials

Results

Expected result:

File uploaded to S3.
If the system is configured to run jobs as SYSTEM the jobs works as expected.
Even granting admin privileges to the user running the job is not sufficient. (And even it did that would defeat the purpose.)

Actual result:

Job fails:

java.lang.RuntimeException: Cannot find a Username with password credential with the ID aws-s3-creds
	at de.taimos.pipeline.aws.WithAWSStep$Execution.withCredentials(WithAWSStep.java:372)
	at de.taimos.pipeline.aws.WithAWSStep$Execution.start(WithAWSStep.java:301)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:319)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:193)
	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
	at jdk.internal.reflect.GeneratedMethodAccessor631.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:163)
	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:158)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:161)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:165)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:135)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
	at WorkflowScript.run(WorkflowScript:15)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.delegateAndExecute(ModelInterpreter.groovy:137)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.executeSingleStage(ModelInterpreter.groovy:666)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.catchRequiredContextForNode(ModelInterpreter.groovy:395)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.catchRequiredContextForNode(ModelInterpreter.groovy:393)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.executeSingleStage(ModelInterpreter.groovy:665)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:288)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.toolsBlock(ModelInterpreter.groovy:544)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.toolsBlock(ModelInterpreter.groovy:543)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:276)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:443)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:442)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:275)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withCredentialsBlock(ModelInterpreter.groovy:481)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withCredentialsBlock(ModelInterpreter.groovy:480)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:274)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inDeclarativeAgent(ModelInterpreter.groovy:586)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inDeclarativeAgent(ModelInterpreter.groovy:585)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:272)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.stageInput(ModelInterpreter.groovy:356)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.stageInput(ModelInterpreter.groovy:355)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:261)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inWrappers(ModelInterpreter.groovy:618)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inWrappers(ModelInterpreter.groovy:617)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:259)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:443)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(ModelInterpreter.groovy:442)
	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:254)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:86)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:113)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:83)
	at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:129)
	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:268)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:185)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:400)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:96)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:312)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:276)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE

Describe your use-case which is not covered by existing documentation.

I want to automatically rotate our credentials on a regular basis.
Therefore the corresponding infrastructure exists to perform this change in AWS, but the credentials should be also updated in Jenkins.
I am not able to find a way to perform the credentials change in jenkins in an automated way.

Could you please add a part of the documentation which explains how/which requests to trigger?
Thank you

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

I tried to use the plugin with aws govcloud and I got this error:

These credentials are NOT valid: "AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: XXXX)"

the plugin does not support govcloud?
thanks!

What I see is the plugin does not support access across multiple AWS accounts.
What I would like is the ability to add multiple accounts and use the role access system.
Why this would support the separation of account duties for Development, Test, and Production.
Use the best practices for Role based authentication, and limit the tools ability per the roles assigned
in the account.
AWS Doc for details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

What feature do you want to see added?

According to https://faddom.com/accessing-an-amazon-eks-kubernetes-cluster/ and https://github.com/aws/aws-cli/blob/develop/awscli/customizations/eks/get_token.py, it's possible to create an EKS token from current AWS profile.

Furthermore, this token can be wrapped as a secret text credential and can be used by other plugins which need to access AWS EKS without AWS cli.

A use case is to enable the Jenkins Kubernetes plugin to use a remote EKS as dynamic agents pool.

Upstream changes

No response

The only relevant line I see is this

            environment { 
                AN_ACCESS_KEY = credentials("${params.ENVIRONMENT}")
            }

Where ${params.ENVIRONMENT} referes to AWS credentials. The credentials work as expected with build succeeding, it's just a warning that is bothersome

I see the variables reported by the warning are set here ->

What feature do you want to see added?

When adding an AWS Credential to Jenkins that includes a Role ARN, the plugin will only use the commercial STS endpoint (sts.amazonaws.com) to retrieve temporary credentials. This means you cannot specify a Role ARN if you are supplying credentials in a private network where an internet connection is not available.
The feature should dynamically select the appropriate STS Endpoint based region example,
If we try to connect the sts endpoint from the eu-west-1 region and the global endpoint isn't able to connect due to an internet connection it should try to connect region-based endpoint [ sts.eu-west-1.amazonaws.com ].

Upstream changes

No response

Currently the plugin does not specify the region when validating credentials, hence it defaults to us-east-1.

I have an access key with a policy restricted to another region (eu-west-1) which fails validation because of this.

Suggesting some kind of parameterization of the region to use, e.g. by using an environment variable possibly set by EnvInject plugin.

Currently this seem pointless? I assume it lets me pick the AWs credentials by ID, using a build parameter.

But, it does not allow anything other that the param name wrapped in ${} meaning it cannot be dynamic, making it utterly useless.

Add to that, the glaring lack fo documentation, I'm totally stumped.

Jenkins and plugins versions report

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

Uninstallation is very slow

Reproduction steps

mn
mn

Expected Results

kln

Actual Results

nothing

Anything else?

no

It would be great if we could leave the access key ID and secret access key blank to assume a role using the EC2 instance profile credentials.

I just installed the latest version of the plugin with the assume role support included from PR #20. I've got an EC2 slave with an IAM role of jenkins-ec2, and I've created an IAM role called jenkins-role that I'm trying to get jenkins to assume. I've configured the credentials plugin with no access key or secret, but with a Task Role of my assumable jenkins-role role. (And I've set up the trust relationship appropriately, so jenkins-role is assumable by jenkins-ec2.)

When my job starts, I get this error:

Started by user Jason Hoetger
[EnvInject] - Loading node environment variables.
Building remotely on jenkins-u16-3 (jenkins jenkins-u16) in workspace /home/ubuntu/workspace/assume-role-test
FATAL: The requested metadata is not found at http://169.254.169.254/latest/meta-data/iam/security-credentials/
com.amazonaws.SdkClientException: The requested metadata is not found at http://169.254.169.254/latest/meta-data/iam/security-credentials/
	at com.amazonaws.internal.EC2CredentialsUtils.readResource(EC2CredentialsUtils.java:115)
	at com.amazonaws.internal.EC2CredentialsUtils.readResource(EC2CredentialsUtils.java:77)
	at com.amazonaws.auth.InstanceProfileCredentialsProvider$InstanceMetadataCredentialsEndpointProvider.getCredentialsEndpoint(InstanceProfileCredentialsProvider.java:156)
	at com.amazonaws.auth.EC2CredentialsFetcher.fetchCredentials(EC2CredentialsFetcher.java:121)
	at com.amazonaws.auth.EC2CredentialsFetcher.getCredentials(EC2CredentialsFetcher.java:82)
	at com.amazonaws.auth.InstanceProfileCredentialsProvider.getCredentials(InstanceProfileCredentialsProvider.java:141)
	at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:119)
	at com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentialsBinding.bind(AmazonWebServicesCredentialsBinding.java:97)
	at org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper.setUp(SecretBuildWrapper.java:59)
	at hudson.model.Build$BuildExecution.doRun(Build.java:156)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
	at hudson.model.Run.execute(Run.java:1729)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:404)
Finished: FAILURE

It looks like it's trying to get metadata from http://169.254.169.254/latest/meta-data/iam/security-credentials/. When I hop on the box, I can confirm that that URL returns nothing, but adding the role name as indicated in the AWS docs does, in fact, return the appropriate credentials.

In other words, http://169.254.169.254/latest/meta-data/iam/security-credentials/jenkins-ec2 returns the EC2 instance credentials. The jenkins-ec2 role name appears to be missing from the endpoint it's trying to hit.

Any idea why this might be happening? Have I misconfigured my plugin? Is the InstanceProfileCredentialsProvider from the AWS SDK being properly instantiated and used properly in PR #20?

I'm wondering if it might be better to avoid explicitly instantiating the InstanceProfileCredentialsProvider and simply allow the AWS SDK to get credentials using its the default provider chain. That would also have the advantage of allowing the assume role support to work with ECS Task Roles, since the AWS SDK already knows how to fetch those credentials using the default provider chain.