Comments (6)
Same here. This issue started occurring very recently. even for me. my error is The security token included in the request is invalid.
from aws-credentials-plugin.
yep, i am experiencing similar issues as well. my error is The security token included in the request is invalid.
from aws-credentials-plugin.
Have the same issue as well.
From what I see, when "Assume role" is setup, once we start the pipeline, the plugin uses a different set of AK/SK.
I see that my AK starts with "ASxxxx" (also, the secret key changed).
Did someone find a workaround ?
from aws-credentials-plugin.
As far as I remember, on Jenkins side you have to provide IAM user credentials (SK/AK). The IAM Policy attached to this user has to allow assumeRole action. Do not configure assume role on Jenkins
You also have to prepare IAM Roles that user can assume (trust policy)
Then configure assumeRole in Jenkinsfile like this:
withAWS(region: REGION,
credentials: BASE_CREDENTIALS,
role: BASE_ROLE+ '-' + REGION + '-' + stage_name ,
roleAccount: '<account where IAM Role is defined>',
duration: 900,
roleSessionName: BASE_ROLE+ '-' + REGION + '-' + stage_name) {
<actions to be performed with assumed role>
}
Where:
REGION - AWS Region where actions are going to be performed
BASE_CREDENTIALS - ID of Credentials defined in Jenkins (the one for IAM User)
role - IAM Role name assumed by IAM User
duration - Temporary credentials TTL
roleSessionName - Just a name for this assumed role session.
It's not perfect because developers can change something but it works.
I moved this part to different repo where developers access is forbidden
from aws-credentials-plugin.
hello @tomasz-bres
Thanks for your reply. It works well.
What was not clear to me is the ability to specify an IAM ROLE in the AWS credentials ; not configuring it and specify the role in the steps works well.
from aws-credentials-plugin.
I encountered what may be a related issue recently.
tl;dr; - You cannot use an AWS Credential with a Role ARN set with the withAWS pipeline step.
I created an AWS Credential with a Role ARN and attempted to use the credential in my pipeline via the withAWS
step but I always received an AccessDenied message. After digging around in CloudTrail, I saw that this plugin was successfully executing AssumeRole
but the pipeline step was still failing. In an act of desperation I had the pipeline run env | grep AWS
to see what variables were being set.
It turns out that AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
values were set properly (they matched the access key id for the assumed role), but AWS_SESSION_TOKEN was not set. The missing session token explains why all the AWS API calls were failing.
The issue was that the withAWS
step was filtering out the session token since it was only expecting IAM User access keys - the two plugins simply can't be combined in this way unfortunately. That being said, the workaround is to not use the Role ARN attribute of the AWS Credential and use the withAWS
role assumption capabilities.
Hope this helps someone!
from aws-credentials-plugin.
Related Issues (20)
- Output of snippet generator is broken HOT 3
- Bad functionality with proxy, initialize ProxyAuthenticationMethods
- Cannot access AWS ECS resources when using v1.32
- Jenkins is failing due to external Id is required in the latest release for IAM role HOT 7
- Add Support for STS Endpoints in AWS Non-Commercial (China / GovCloud) Partitions
- Rotating AWS Credentials HOT 1
- Wrap a programmatically created eks token in a secret txt credentials
- The plugin cannot be disabled
- Uninstallation
- Add Support for STS regional Endpoints
- Support OIDC
- unable to install CloudBees AWS Credentials Plugin
- How do you use this plugin? HOT 3
- Support AWS IAM Roles Anywhere
- AWS Credentials Plugin
- Allow to create credentials without sending them to AWS services
- Does not work in AWS Gov Cloud HOT 3
- Configurable AWS_SESSION_TOKEN env variable HOT 3
- Credentials are not available unless the job is run as SYSTEM HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-credentials-plugin.