You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've created the role on the destination account, i've also made sure the trust relationship is correct - i.e that it allows the role used by the Jenkins controller to assume it (this is something we do commonly, so we are familiar with the setup).
We're also using JCaSc plugin, so basically same example as given in the docs:
Should be able to see credentials and not any errors in jenkins log.
Actual Results
Logs contain:
Nov 15, 2022 2:04:49 PM WARNING io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider getCredentials
Could not list credentials in Secrets Manager: message=[The security token included in the request is invalid (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 2f9c6d9a-df3b-45e6-8df7-402f53a82f1f; Proxy: null)]
Anything else?
I've validated that there are no issues with the IAM role and assuming role, by creating a pipeline utilising 'withAWS'. As an example, this works fine, and it uses the same role assigned to the Jenkins controller to assume the same role...
I also experimented with specifying different optional arguments in the plugin, like region, endpoint etc but have not managed to get it to work.
Finally, just to validate the plugin itself was working, I switched it to use the default role (instead of assuming a role), and it was successfully able to see and pull secrets.
Looks like the assume role part just isn't working
The text was updated successfully, but these errors were encountered:
This is going to be difficult to debug as so much of the cross-account setup is outside of Jenkins, so it's not something we can really unit/integration test in the plugin itself.
Jenkins and plugins versions report
AWS Secrets Manager Credentials Provider
Version1.198.v839f082578db
What Operating System are you using (both controller, and any agents involved in the problem)?
jenkins/jenkins:alpine
v2.361.3 LTS
Reproduction steps
Following steps here to setup cross-account role for accessing credentials:
I've created the role on the destination account, i've also made sure the trust relationship is correct - i.e that it allows the role used by the Jenkins controller to assume it (this is something we do commonly, so we are familiar with the setup).
We're also using JCaSc plugin, so basically same example as given in the docs:
Expected Results
Should be able to see credentials and not any errors in jenkins log.
Actual Results
Logs contain:
Anything else?
I've validated that there are no issues with the IAM role and assuming role, by creating a pipeline utilising 'withAWS'. As an example, this works fine, and it uses the same role assigned to the Jenkins controller to assume the same role...
I also experimented with specifying different optional arguments in the plugin, like region, endpoint etc but have not managed to get it to work.
Finally, just to validate the plugin itself was working, I switched it to use the default role (instead of assuming a role), and it was successfully able to see and pull secrets.
Looks like the assume role part just isn't working
The text was updated successfully, but these errors were encountered: