Cross-account role access doesn't appear to work

[mamccorm]

Jenkins and plugins versions report

AWS Secrets Manager Credentials Provider
Version1.198.v839f082578db

What Operating System are you using (both controller, and any agents involved in the problem)?

jenkins/jenkins:alpine
v2.361.3 LTS

Reproduction steps

Following steps here to setup cross-account role for accessing credentials:

• https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/tree/master/docs/cross-account

I've created the role on the destination account, i've also made sure the trust relationship is correct - i.e that it allows the role used by the Jenkins controller to assume it (this is something we do commonly, so we are familiar with the setup).

We're also using JCaSc plugin, so basically same example as given in the docs:

  unclassified:
        credentialsProvider:
          assumeRole:
            roleArn: "arn:aws-us-gov:iam::************:role/jenkins-secrets-access"
            roleSessionName: "jenkins"

Expected Results

Should be able to see credentials and not any errors in jenkins log.

Actual Results

Logs contain:

Nov 15, 2022 2:04:49 PM WARNING io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider getCredentials
Could not list credentials in Secrets Manager: message=[The security token included in the request is invalid (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 2f9c6d9a-df3b-45e6-8df7-402f53a82f1f; Proxy: null)]

Anything else?

I've validated that there are no issues with the IAM role and assuming role, by creating a pipeline utilising 'withAWS'. As an example, this works fine, and it uses the same role assigned to the Jenkins controller to assume the same role...

        stage('quick test') {
            steps {
                withAWS(role: "arn:aws-us-gov:iam::***********:role/jenkins-secrets-access") {
                    sh "aws secretsmanager list-secrets"
                }
            }
        }

I also experimented with specifying different optional arguments in the plugin, like region, endpoint etc but have not managed to get it to work.

Finally, just to validate the plugin itself was working, I switched it to use the default role (instead of assuming a role), and it was successfully able to see and pull secrets.

Looks like the assume role part just isn't working

[chriskilding]

This is going to be difficult to debug as so much of the cross-account setup is outside of Jenkins, so it's not something we can really unit/integration test in the plugin itself.

Just as an initial thing, in your pasted code

  unclassified:
        credentialsProvider:
          assumeRole:
            roleArn: "arn:aws-us-gov:iam::************:role/jenkins-secrets-access"
            roleSessionName: "jenkins"

I noticed this wouldn't work because the structure of it is not quite right. It would need to be

unclassified:
  awsCredentialsProvider:
    client:
      credentialsProvider:
        assumeRole:
          roleArn:  .....
          roleSessionName: ....

Is that any help? If not we'll pursue it further

[chriskilding]

Hi, could you let me know if the quick fix above worked for you, or if there is still a problem?

[chriskilding]

Closing due to inactivity