Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jenkins is failing due to external Id is required in the latest release for IAM role #116

Closed
cao2504 opened this issue Dec 19, 2021 · 7 comments · Fixed by #125
Closed

Jenkins is failing due to external Id is required in the latest release for IAM role #116

cao2504 opened this issue Dec 19, 2021 · 7 comments · Fixed by #125
Labels
bug Something isn't working

Comments

@cao2504
Copy link

cao2504 commented Dec 19, 2021

Version report

Jenkins and plugins versions report:

aws-credentials:latest
  • What Operating System are you using (both controller, and any agents involved in the problem)?
Linux

Reproduction steps

  • Step 1: Create a new credentials that will take an IAM role without external Id

image

  • Step 2: In the pipeline
withCredentials([[$class       : 'AmazonWebServicesCredentialsBinding',
                                    credentialsId: credentials]])

Results

Expected result:

Jenkins to grab the role and perform AWS tasks

Actual result:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value '' at 'externalId' failed to satisfy constraint: Member must have length greater than or equal to 2 (Service: AWSSecurityTokenService
@cao2504 cao2504 added the bug Something isn't working label Dec 19, 2021
@bharathcp bharathcp mentioned this issue Dec 20, 2021
Closed
2 tasks
@webminster
Copy link

webminster commented Dec 27, 2021
edited
Loading

I see a very similar issue with the EC2 Fleet plugin, I had opened this issue in Jenkins JIRA as https://issues.jenkins.io/browse/JENKINS-67452

TomJKing added a commit to nationalarchives/tdr-jenkins that referenced this issue Jan 4, 2022
@TomJKing
Downgrade aws creds plugin version due to bug
41a4ab5 
AWS credentials plugin version 1.33 has a bug that causes builds to fail: jenkinsci/aws-credentials-plugin#116

Temporarily keep at existing version, but update other plugins
@webminster
Copy link

webminster commented Jan 4, 2022
edited
Loading

How can we get some attention on this issue?
The JIRA for this bug is not getting attention either:
https://issues.jenkins.io/browse/JENKINS-67452

@TomJKing TomJKing mentioned this issue Jan 17, 2022
Merged
@ricardojdsilva87
Copy link

Hello we hitted the same issue after upgrading to Jenkins 2.319.2 LTS JDK11 the plugin updated itself to latest version.
The fix was add something in the External Id To Use with more than 2 characters
image

It can also be configured with casc using:

credentials:
  system:
    domainCredentials:
      - credentials:
        - aws:
            iamRoleArn: "arn:aws:iam::xxxxxxx"
            iamExternalId: "something with more than 2 characters"
            description: "description"
            id: "id you choose"
            scope: you choose can be GLOBAL for example

Thanks

@jtnord
Copy link
Member

jtnord commented Feb 3, 2022

Try https://ci.jenkins.io/job/Plugins/job/aws-credentials-plugin/job/PR-125/1/artifact/org/jenkins-ci/plugins/aws-credentials/1.34-rc181.b8986bf42f7e/aws-credentials-1.34-rc181.b8986bf42f7e.hpi and see if it resolves the issue for you

@webminster
Copy link

This didn't seem to work for me... I uploaded this version and restarted, and got a large traceback:

2022-02-04 19:44:21.312+0000 [id=30] SEVERE jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
java.lang.NullPointerException
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.createAssumeRoleRequest(AWSCredentialsImpl.java:232)
at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:158)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1266)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:842)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:792)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:779)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:753)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:713)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:695)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:559)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:539)
at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.doInvoke(AmazonAutoScalingClient.java:4931)
at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.invoke(AmazonAutoScalingClient.java:4898)
at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.invoke(AmazonAutoScalingClient.java:4887)
at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.executeDescribeAutoScalingGroups(AmazonAutoScalingClient.java:1847)
at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.describeAutoScalingGroups(AmazonAutoScalingClient.java:1815)
at com.amazon.jenkins.ec2fleet.fleet.AutoScalingGroupFleet.getState(AutoScalingGroupFleet.java:78)
at com.amazon.jenkins.ec2fleet.EC2FleetCloud.(EC2FleetCloud.java:221)
Caused: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:173)
Caused: io.jenkins.plugins.casc.ConfiguratorException: eC2Fleet: Failed to construct instance of class com.amazon.jenkins.ec2fleet.EC2FleetCloud.
Constructor: public com.amazon.jenkins.ec2fleet.EC2FleetCloud(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,hudson.slaves.ComputerConnector,boolean,boolean,java.lang.Integer,int,int,int,int,boolean,boolean,java.lang.String,boolean,java.lang.Integer,java.lang.Integer,boolean,java.lang.Integer,boolean).
Arguments: [java.lang.String, null, java.lang.String, null, java.lang.String, null, java.lang.String, java.lang.String, null, hudson.plugins.sshslaves.SSHConnector, java.lang.Boolean, java.lang.Boolean, java.lang.Integer, java.lang.Integer, java.lang.Integer, java.lang.Integer, java.lang.Integer, java.lang.Boolean, java.lang.Boolean, null, java.lang.Boolean, java.lang.Integer, java.lang.Integer, java.lang.Boolean, java.lang.Integer, java.lang.Boolean].
Expected Parameters: name java.lang.String, oldId java.lang.String, awsCredentialsId java.lang.String, credentialsId java.lang.String, region java.lang.String, endpoint java.lang.String, fleet java.lang.String, labelString java.lang.String, fsRoot java.lang.String, computerConnector hudson.slaves.ComputerConnector, privateIpUsed boolean, alwaysReconnect boolean, idleMinutes java.lang.Integer, minSize int, maxSize int, minSpareSize int, numExecutors int, addNodeOnlyIfRunning boolean, restrictUsage boolean, maxTotalUses java.lang.String, disableTaskResubmit boolean, initOnlineTimeoutSec java.lang.Integer, initOnlineCheckIntervalSec java.lang.Integer, scaleExecutorsByWeight boolean, cloudStatusIntervalSec java.lang.Integer, noDelayProvision boolean

@jtnord jtnord mentioned this issue Feb 7, 2022
Merged
6 tasks
@jtnord
Copy link
Member

jtnord commented Feb 7, 2022

This didn't seem to work for me... I uploaded this version and restarted, and got a large traceback:

the next build should be better. should be in https://ci.jenkins.io/job/Plugins/job/aws-credentials-plugin/job/PR-125/2/ under artifacts when the build completes

@webminster
Copy link

This version (aws-credentials-1.34-rc182.5fcd8bb8776d.hpi) is definitely better, doesn't choke on the Jenkins restart. Seems at the moment to work as expected. Thanks for working on this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[JENKINS-67452] Do not add blank external ids jtnord/aws-credentials-plugin
4 participants
@jtnord @webminster @ricardojdsilva87 @cao2504