-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin uses instance role instead of pod role #172
Comments
The plugin instantiates a standard instance of the AWS Java SDK client; the only override to its behaviour is to change the EndpointConfiguration if you've set this in Jenkins config. By default the SDK's authentication strategy is
I would recommend running the AWS CLI in your container environment to do some Secrets Manager calls - with all the same env vars as you've given Jenkins - and see which IAM role it uses. |
AWS CLI works fine, so based in what you said, I think the problem is related to: aws/aws-sdk-java#2136. As far as I see the sdk version used by the plugin is |
Nice detective work :) If adding |
@nahuelcassinarijamf did it work as expected after adding |
@parveshmourya sorry, super delayed answer. |
Jenkins and plugins versions report
I've noticed that the plugin is using the IAM role of the EC2 instance where is running instead of use the IAM role of the pod (https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/).
All env variables looks good:
But when Jenkins wants to get credentials it's not using the right role:
I've tried configuring the env variables manually in the pod and creating the
.aws/credentials
file but the result it's always the same.Finally I confirmed the problem adding privileges to get secrets to the instance IAM role and everything worked without issues.
What Operating System are you using (both controller, and any agents involved in the problem)?
Jenkins: 2.303.3
OS: Linux - 5.4.91-41.139.amzn2.x86_64
ace-editor:1.1
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:1.33
aws-java-sdk:1.12.131-302.vbef9650c6521
aws-java-sdk-cloudformation:1.12.131-302.vbef9650c6521
aws-java-sdk-codebuild:1.12.131-302.vbef9650c6521
aws-java-sdk-ec2:1.12.131-302.vbef9650c6521
aws-java-sdk-ecr:1.12.131-302.vbef9650c6521
aws-java-sdk-ecs:1.12.131-302.vbef9650c6521
aws-java-sdk-elasticbeanstalk:1.12.131-302.vbef9650c6521
aws-java-sdk-iam:1.12.131-302.vbef9650c6521
aws-java-sdk-logs:1.12.131-302.vbef9650c6521
aws-java-sdk-minimal:1.12.131-302.vbef9650c6521
aws-java-sdk-ssm:1.12.131-302.vbef9650c6521
aws-secrets-manager-credentials-provider:0.5.6
aws-secrets-manager-secret-source:0.0.1
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-4
bouncycastle-api:2.25
branch-api:2.7.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.17
command-launcher:1.2
configuration-as-code:1.54
credentials:2.6.1
credentials-binding:1.27.1
display-url-api:2.3.5
durable-task:493.v195aefbb0ff2
echarts-api:5.2.2-2
font-awesome-api:5.15.4-5
git:4.10.0
git-client:3.11.0
git-server:1.10
handlebars:3.0.8
jackson2-api:2.13.1-246.va8a9f3eaf46a
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jaxb:2.3.0
jdk-tool:1.0
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.11
kubernetes-client-api:5.11.2-182.v0f1cf4c5904e
kubernetes-credentials:0.9.0
lockable-resources:2.13
mailer:408.vd726a_1130320
matrix-project:1.20
metrics:4.0.2.8.1
momentjs:1.1.1
pipeline-build-step:2.15
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:427.va6441fa17010
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.20
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.20
plain-credentials:1.7
plugin-util-api:2.12.0
popper-api:1.16.1-2
popper2-api:2.11.2-1
scm-api:595.vd5a_df5eb_0e39
script-security:1131.v8b_b_5eda_c328e
snakeyaml-api:1.29.1
ssh-credentials:1.19
sshd:3.1.0
structs:308.v852b473a2b8c
thycotic-secret-server:1.0.0
trilead-api:1.0.13
variant:1.4
workflow-aggregator:2.6
workflow-api:1108.v57edf648f5d4
workflow-basic-steps:2.24
workflow-cps:2648.va9433432b33c
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1112.vda00e6febcc1
workflow-job:1145.v7f2433caa07f
workflow-multibranch:706.vd43c65dec013
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:813.vb_d7c3d2984a_0
Reproduction steps
Steps to reproduce:
Expected Results
Jenkins will get Jenkins credentials from AWS Secret Manager using the pod IAM role.
Actual Results
Jenkins uses the instance IAM role to get secrets.
Anything else?
No response
The text was updated successfully, but these errors were encountered: