search

jenkinsci / amazon-ecr-plugin

Amazon EC2 Container Registry plugin for Jenkins
https://plugins.jenkins.io/amazon-ecr/
MIT License
32 stars 22 forks source link

Could not find credentials after latest release #180

Closed marcingryska closed 4 weeks ago

marcingryska commented 1 month ago

Jenkins and plugins versions report

Environment ```text Plugin version of 1.136.v914ea_5948634 running on Debian 11, Java VM vendor: Debian, Java VM name: OpenJDK 64-Bit Server VM, Java version 11.0.23, Jenkins version 2.452.2, OS name: Linux, OS version: 4.19.0-26-cloud-amd64 List of plugins installed: Active Choices Plug-in | 2.8.3 | true Agent Status | 56.v1798df8ff586 | true Amazon EC2 plugin | 1688.v8c07e01d657f | true Amazon ECR plugin | 1.114.vfd22430621f5 | true Amazon Web Services SDK :: All | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Api Gateway | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Autoscaling | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: CloudFormation | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: CloudFront | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: CodeBuild | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: CodeDeploy | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: EC2 | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: ECR | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: ECS | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: EFS | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Elastic Beanstalk | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Elastic Load Balancing V2 | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: IAM | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: kinesis | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Lambda | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Logs | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Minimal | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Organizations | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: Secrets Manager | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: SNS | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: SQS | 1.12.753-463.v071a_97315959 | true Amazon Web Services SDK :: SSM | 1.12.753-463.v071a_97315959 | true Analysis Model API Plugin | 12.3.3 | true AnsiColor | 1.0.4 | true Ant Plugin | 497.v94e7d9fffa_b_9 | true Apache HttpComponents Client 4.x API Plugin | 4.5.14-208.v438351942757 | true Apache HttpComponents Client 5.x API Plugin | 5.3.1-110.v77252fb_d4da_5 | true Artifact Deployer Plugin | 1.3 | true artifact-promotion | 0.5.2 | true ASM API Plugin | 9.7-33.v4d23ef79fcc8 | true Authentication Tokens API Plugin | 1.119.v50285141b_7e1 | true Autofavorite for Blue Ocean | 1.2.5 | true AWS Credentials Plugin | 231.v08a_59f17d742 | true Badge | 1.13 | true Basic Branch Build Strategies Plugin | 81.v05e333931c7d | true Bitbucket Branch Source Plugin | 887.va_d359b_3d2d8d | true Bitbucket Pipeline for Blue Ocean | 1.27.13 | true Bitbucket Push and Pull Request Plugin | 3.0.2 | true Bitbucket Server Notifier | 1.492.v1b_33f185ee18 | true Blue Ocean | 1.27.13 | true Blue Ocean Core JS | 1.27.13 | true Blue Ocean Pipeline Editor | 1.27.13 | true Bootstrap 4 API Plugin | 4.6.0-6 | true Bootstrap 5 API Plugin | 5.3.3-1 | true bouncycastle API Plugin | 2.30.1.78.1-248.ve27176eb_46cb_ | true Branch API Plugin | 2.1169.va_f810c56e895 | true Build Blocker Plugin | 166.vc82fc20b_a_ed6 | true Build Monitor View | 1.14-883.vf620a_44eb_ec1 | true Build Timeout | 1.33 | true Build With Parameters | 76.v9382db_f78962 | true BuildResultTrigger Plug-in | 0.18 | true built-on-column | 1.4 | true Caffeine API Plugin | 3.1.8-133.v17b_1ff2e0599 | true Checks API plugin | 2.2.0 | true CloudBees Credentials Plugin | 3.3 | true CloudBees Disk Usage Simple Plugin | 203.v3f46a_7462b_1a_ | true CloudBees Docker Build and Publish plugin | 1.4.0 | true CloudBees Docker Custom Build Environment Plugin | 1.7.3 | true CloudBees Docker Traceability | 1.2 | true Cobertura Plugin | 1.17 | true Code Coverage Plugin | 4.99.0 | true Command Agent Launcher Plugin | 107.v773860566e2e | true Common API for Blue Ocean | 1.27.13 | true Commons Compress API | 1.26.1-2 | true Commons HttpClient 3.x API | 3.1-3 | true commons-lang3 v3.x Jenkins API Plugin | 3.14.0-76.vda_5591261cfe | true commons-text API Plugin | 1.12.0-119.v73ef73f2345d | true Conditional BuildStep | 1.4.3 | true Config API for Blue Ocean | 1.27.13 | true Config File Provider Plugin | 973.vb_a_80ecb_9a_4d0 | true Configuration as Code Plugin | 1810.v9b_c30a_249a_4c | true Configuration as Code Plugin - Groovy Scripting Extension | 1.1 | true Confluence Publisher | 163.vf906edb_73cce | true Convert To Pipeline | 1.0 | true Copy Artifact Plugin | 746.vd2a_674fb_4f6f | true Coverage Plugin | 1.16.1 | true Credentials Binding Plugin | 681.vf91669a_32e45 | true Credentials Plugin | 1361.v56f5ca_35d21c | true CVS Plug-in | 2.19.1 | true Dashboard for Blue Ocean | 1.27.13 | true Dashboard View | 2.508.va_74654f026d1 | true DataTables.net API Plugin | 2.0.8-1 | true Deployment Dashboard Plugin for Jenkins | 1.0.10 | true DEPRECATED Blue Ocean Executor Info | 1.27.13 | true description setter plugin | 239.vd0a_6b_785f92d | true Design Language | 1.27.13 | true Display URL API | 2.204.vf6fddd8a_8b_e9 | true Display URL for Blue Ocean | 2.4.3 | true Docker Commons Plugin | 439.va_3cb_0a_6a_fb_29 | true Docker Pipeline | 580.vc0c340686b_54 | true DTKit 2 API. | 3.0.2 | true Durable Task Plugin | 555.v6802fe0f0b_82 | true ECharts API Plugin | 5.5.0-1 | true EDDSA API Plugin | 0.3.0-4.v84c6f0f4969e | true Email Extension Plugin | 1814.v404722f34263 | true Embeddable Build Status Plugin | 487.va_0ef04c898a_2 | true EnvInject API Plugin | 1.199.v3ce31253ed13 | true Environment Dashboard Plugin | 1.1.10 | true Environment Injector Plugin | 2.908.v66a_774b_31d93 | true Events API for Blue Ocean | 1.27.13 | true Extended Choice Parameter Plugin | 382.v5697b_32134e8 | true Extended Read Permission Plugin | 53.v6499940139e5 | true External Monitor Job Type Plugin | 215.v2e88e894db_f8 | true Favorite | 2.218.vd60382506538 | true Flexible Publish Plugin | 0.16.1 | true Folders Plugin | 6.928.v7c780211d66e | true Font Awesome API Plugin | 6.5.2-1 | true Forensics API Plugin | 2.4.0 | true Git Changelog | 3.38 | true Git client plugin | 5.0.0 | true Git Parameter Plug-In | 0.9.19 | true Git Pipeline for Blue Ocean | 1.27.13 | true Git plugin | 5.2.2 | true Git server Plugin | 126.v0d945d8d2b_39 | true GitHub API Plugin | 1.318-461.v7a_c09c9fa_d63 | true GitHub Branch Source Plugin | 1789.v5b_0c0cea_18c3 | true GitHub Pipeline for Blue Ocean | 1.27.13 | true GitHub plugin | 1.39.0 | true Groovy | 457.v99900cb_85593 | true Groovy Postbuild | 228.vcdb_cf7265066 | true Gson API Plugin | 2.11.0-41.v019fcf6125dc | true H2 API Plugin | 11.1.4.199-30.v1c64e772f3a_c | true Handy Uri Templates 2.x API Plugin | 2.1.8-30.v7e777411b_148 | true HTML Publisher plugin | 1.35 | true Hudson SCP publisher plugin | 1.8 | true i18n for Blue Ocean | 1.27.13 | true Infrastructure plugin for Publish Over X | 0.22 | true Instance Identity | 185.v303dc7c645f9 | true Ionicons API | 74.v93d5eb_813d5f | true Jackson 2 API Plugin | 2.17.0-379.v02de8ec9f64c | true Jakarta Activation API | 2.1.3-1 | true Jakarta Mail API | 2.1.3-1 | true Java JSON Web Token (JJWT) Plugin | 0.11.5-112.ve82dfb_224b_a_d | true JavaBeans Activation Framework (JAF) API | 1.2.0-7 | true Javadoc Plugin | 243.vb_b_503b_b_45537 | true JavaMail API | 1.6.2-10 | true JavaScript GUI Lib: ACE Editor bundle plugin | 1.1 | true JavaScript GUI Lib: Handlebars bundle plugin | 3.0.8 | true JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin | 1.2.1 | true JavaScript GUI Lib: Moment.js bundle plugin | 1.1.1 | true JAXB plugin | 2.3.9-1 | true Jersey 2 API | 2.42-147.va_28a_44603b_d5 | true JIRA Integration for Blue Ocean | 1.27.13 | true Jira plugin | 3.13 | true jnr-posix API Plugin | 3.1.19-2 | true Job Configuration History Plugin | 1229.v3039470161a_d | true Job DSL | 1.87 | true Joda Time API Plugin | 2.12.7-29.v5a_b_e3a_82269a_ | true jQuery plugin | 1.12.4-1 | true JQuery3 API Plugin | 3.7.1-2 | true JSch dependency plugin | 0.2.16-86.v42e010d9484b_ | true JSON Api Plugin | 20240303-41.v94e11e6de726 | true JSON Path API Plugin | 2.9.0-58.v62e3e85b_a_655 | true JUnit Attachments Plugin | 205.vc0677977deb_0 | true JUnit Plugin | 1265.v65b_14fa_f12f0 | true JWT for Blue Ocean | 1.27.13 | true LDAP Plugin | 725.v3cb_b_711b_1a_ef | true Lockable Resources plugin | 1255.vf48745da_35d0 | true Log Parser Plugin | 2.3.4 | true Mailer Plugin | 472.vf7c289a_4b_420 | true Managed Scripts | 1.5.6 | true MapDB API Plugin | 1.0.9-40.v58107308b_7a_7 | true Mashup Portlets | 1.1.2 | true Mask Passwords Plugin | 173.v6a_077a_291eb_5 | true Matrix Authorization Strategy Plugin | 3.2.2 | true Matrix Project Plugin | 832.va_66e270d2946 | true Maven Integration plugin | 3.23 | true Maven Release Plug-in Plug-in | 0.16.4 | true Mercurial plugin | 1260.vdfb_723cdcc81 | true Metrics Plugin | 4.2.21-451.vd51df8df52ec | true Mina SSHD API :: Common | 2.13.1-117.v2f1a_b_66ff91d | true Mina SSHD API :: Core | 2.13.1-117.v2f1a_b_66ff91d | true Mission Control Plugin | 0.9.16 | true MSBuild Plugin | 1.33 | true MSTest plugin | 1.0.5 | true MSTestRunner plugin | 1.5.0 | true Multijob plugin | 627.v7c23cef20a_6a | true Multiple SCMs plugin | 0.8 | true Next Build Number Plugin | 1.8 | true Node Iterator API Plugin | 55.v3b_77d4032326 | true NodeJS Plugin | 1.6.1 | true Nuget Plugin | 1.1 | true NUnit plugin | 485.ve8a_85357320d | true nvm-wrapper | 0.1.7 | true Office 365 Connector | 4.21.1 | true Official OWASP ZAP Jenkins Plugin | 1.1.0 | true OkHttp Plugin | 4.11.0-172.vda_da_1feeb_c6e | true Oracle Java SE Development Kit Installer Plugin | 73.vddf737284550 | true OWASP Dependency-Check Plugin | 5.5.1 | true OWASP Dependency-Track Plugin | 5.0.0 | true OWASP Markup Formatter Plugin | 162.v0e6ec0fcfcf6 | true OWASP ZAP Plugin | 1.0.7 | true PagerDuty Plugin | 0.7.1 | true PAM Authentication plugin | 1.11 | true Parameterized Remote Trigger Plugin | 3.2.0 | true Parameterized Scheduler | 277.v61a_4b_a_49a_c5c | true Parameterized Trigger plugin | 806.vf6fff3e28c3e | true Performance Plugin | 962.v95a_4913d332e | true Personalization for Blue Ocean | 1.27.13 | true Pipeline | 600.vb_57cdd26fdd7 | true Pipeline Graph Analysis Plugin | 216.vfd8b_ece330ca_ | true Pipeline implementation for Blue Ocean | 1.27.13 | true Pipeline Maven Integration Plugin | 1421.v610fa_b_e2d60e | true Pipeline Maven Plugin API | 1421.v610fa_b_e2d60e | true Pipeline SCM API for Blue Ocean | 1.27.13 | true Pipeline timeline | 1.0.3 | true Pipeline Utility Steps | 2.17.0 | true Pipeline: API | 1316.v33eb_726c50b_a_ | true Pipeline: AWS Steps | 1.45 | true Pipeline: Basic Steps | 1058.vcb_fc1e3a_21a_9 | true Pipeline: Build Step | 540.vb_e8849e1a_b_d8 | true Pipeline: Declarative | 2.2203.v89fa_170c2b_f5 | true Pipeline: Declarative Agent API | 1.1.1 | false Pipeline: Declarative Extension Points API | 2.2203.v89fa_170c2b_f5 | true Pipeline: Deprecated Groovy Libraries | 612.v55f2f80781ef | true Pipeline: GitHub Groovy Libraries | 61.v629f2cc41d83 | true Pipeline: Groovy | 3903.v48a_8836749e9 | true Pipeline: Groovy Libraries | 727.ve832a_9244dfa_ | true Pipeline: Input Step | 495.ve9c153f6067b_ | true Pipeline: Job | 1400.v7fd111b_ec82f | true Pipeline: Milestone Step | 119.vdfdc43fc3b_9a_ | true Pipeline: Model API | 2.2203.v89fa_170c2b_f5 | true Pipeline: Multibranch | 783.787.v50539468395f | true Pipeline: Multibranch with defaults | 2.1 | true Pipeline: Nodes and Processes | 1360.v82d13453da_a_f | true Pipeline: REST API Plugin | 2.34 | true Pipeline: SCM Step | 427.v4ca_6512e7df1 | true Pipeline: Stage Step | 312.v8cd10304c27a_ | true Pipeline: Stage Tags Metadata | 2.2203.v89fa_170c2b_f5 | true Pipeline: Stage View Plugin | 2.34 | true Pipeline: Step API | 678.v3ee58b_469476 | true Pipeline: Supporting APIs | 907.v6713a_ed8a_573 | true Plain Credentials Plugin | 183.va_de8f1dd5a_2b_ | true Plugin Usage - Plugin | 4.5 | true Plugin Utilities API Plugin | 4.1.0 | true Popper.js 2 API Plugin | 2.11.6-5 | true Popper.js API Plugin | 1.16.1-3 | true Post build task | 1.9 | true PowerShell plugin | 2.1 | true Prism API Plugin | 1.29.0-15 | true Project statistics Plugin | 23.v47fee1f77b_84 | true promoted builds plugin | 957.vf5b_cee587563 | true Pub-Sub "light" Bus | 1.18 | true Publish Over CIFS | 0.16 | true Publish Over SSH | 1.25 | true Purge Build Queue Plugin | 88.v23b_97b_f2c7a_d | true Pyenv Pipeline Plugin | 2.1.2 | true Rebuilder | 332.va_1ee476d8f6d | true Release Plugin | 2.19 | true Resource Disposer Plugin | 0.23 | true REST API for Blue Ocean | 1.27.13 | true REST Implementation for Blue Ocean | 1.27.13 | true Reverse Proxy Auth Plugin | 1.7.7 | true Robot Framework plugin | 3.5.2 | true Run Condition Plugin | 1.7 | true Run Selector Plugin | 1.1.1 | true Safe Restart Plugin | 0.7 | true SAML Plugin | 4.464.vea_cb_75d7f5e0 | true SCM API Plugin | 690.vfc8b_54395023 | true Script Security Plugin | 1341.va_2819b_414686 | true Selenium HTML report | 1.1 | true Server Sent Events (SSE) Gateway Plugin | 1.27 | true Shelve Project Plugin | 3.2 | true ShiningPanda Plugin | 0.24 | true Slave Monitor for system load average | 1.2 | true SnakeYAML API Plugin | 2.2-111.vc6598e30cc65 | true SonarQube Scanner for Jenkins | 2.17.2 | true SSH Agent Plugin | 367.vf9076cd4ee21 | true SSH Build Agents plugin | 2.973.v0fa_8c0dea_f9f | true SSH Credentials Plugin | 337.v395d2403ccd4 | true SSH server | 3.330.vc866a_8389b_58 | true Stash Pullrequest Builder Plugin | 1.17 | true Structs Plugin | 338.v848422169819 | true Subversion Plug-in | 1269.v53185011cd9f | true Swarm Plugin | 3.46 | true Test Results Analyzer Plugin | 0.4.1 | true TestComplete xUnit Plugin | 1.1 | true TestNG Results Plugin | 835.v51ed3da_fcc35 | true Throttle Concurrent Builds Plug-in | 2.14 | true Timestamper | 1.27 | true Token Macro Plugin | 400.v35420b_922dcb_ | true Translation Assistance plugin | 1.16 | true Trilead API Plugin | 2.147.vb_73cc728a_32e | true Variant Plugin | 60.v7290fc0eb_b_cd | true Version Number Plugin | 1.11 | true Violation Comments to Bitbucket Server Plugin | 1.134 | true Warnings Plugin | 11.3.0 | true Web for Blue Ocean | 1.27.13 | true WMI Windows Agents Plugin | 1.8.1 | true Workspace Cleanup Plugin | 0.46 | true xUnit plugin | 3.1.4 | true ZAP Pipeline Plugin | 1.16 | true ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Debian

Reproduction steps

A command used to work properly with previous version i.e 1.114.vfd22430621f5:

                    docker.withRegistry(config["ecr_url"], ecr_credentials_preffix + config["credentials"]) {
                        app.push("${env.BUILD_NUMBER}")
                        app.push("latest")
                        if (buildNumber != null) {
                            app.push("ssng_${env.BRANCH_NAME}_${buildNumber}")
                        }
                    }

now (version of 1.136.v914ea_5948634) it produces exception of not found credentials.

Expected Results

push to ECR successful

Actual Results

Exception occurs: hudson.AbortException: Could not find credentials matching credentials:here

TobiX commented 1 month ago

Can you check if this incremental was still working? (I'm currently far away from any usable AWS credentials, so I cannot test myself)

https://repo.jenkins-ci.org/artifactory/incrementals/com/cloudbees/jenkins/plugins/amazon-ecr/1.132.v88c326c2041e/amazon-ecr-1.132.v88c326c2041e.hpi

If this is the case, the bug was most likely introduced with c45fcef0d1a25b3b0b633fcbadab2b254d525dd5 and I missed some acegisecurity to spring security migration...

marcingryska commented 1 month ago

Thanks for a quick reaction I'll try to check it and give you a feedback then.

marcingryska commented 1 month ago

@TobiX I confirm it works properly with the 1.132.v88c326c2041e so please apply it/revert into latest stable version.

TobiX commented 1 month ago

I'd rather not revert the change, since it is a future-proving migration. I wrote a simple test case (and documentation how to use it) for the functionality of this plugin in #182, which proves the basic functionality still works... Maybe you could provide a minimal reproducer for your usecase, so we can find what is broken?

TobiX commented 1 month ago

A thing which changed with the modernisation it that DomainRequirements are now passed through when looking up credentials. So if your credential domains are defined too restricted, they will not be found...

marcingryska commented 1 month ago

@TobiX Thank you. I see I need to check whether such test is possible in our Jenkins, as we rather do not want to set sensitive data as env variables, could you additionally explain what do you meant by saying

credential domains are defined too restricted

What kind of restriction level?

TobiX commented 1 month ago

credential domains are defined too restricted

What kind of restriction level?

Jenkins credential domains can have specifications regarding their validity. Those were ignored before the latest versions, but are honoured now: grafik

(Not sure if the previous behaviour was a bug or a conscious omission, but I was under the impression that users using this feature would be aware of how it works)

marcingryska commented 1 month ago

Thank you, now clear to me let me check then with changed domain settings

marcingryska commented 1 month ago

@TobiX Indeed that was a brilliant remark, we had obsolete domains set there, now after setting them to up to date ones it works like a charm. Thank you for you help.

TobiX commented 4 weeks ago

@marcingryska Thanks for the confirmation. Maybe this needs a documentation update... Feel free to close this issue if the issue is fixed for you!