Jenkins is failing due to external Id is required in the latest release for IAM role

cao2504 commented 2 years ago

Version report

Jenkins and plugins versions report:

aws-credentials:latest

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

Step 1: Create a new credentials that will take an IAM role without external Id

Step 2: In the pipeline

withCredentials([[$class       : 'AmazonWebServicesCredentialsBinding',
                                    credentialsId: credentials]])

Results

Expected result:

Jenkins to grab the role and perform AWS tasks

Actual result:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value '' at 'externalId' failed to satisfy constraint: Member must have length greater than or equal to 2 (Service: AWSSecurityTokenService

webminster commented 2 years ago

I see a very similar issue with the EC2 Fleet plugin, I had opened this issue in Jenkins JIRA as https://issues.jenkins.io/browse/JENKINS-67452

webminster commented 2 years ago

How can we get some attention on this issue? The JIRA for this bug is not getting attention either: https://issues.jenkins.io/browse/JENKINS-67452

ricardojdsilva87 commented 2 years ago

Hello we hitted the same issue after upgrading to Jenkins 2.319.2 LTS JDK11 the plugin updated itself to latest version. The fix was add something in the External Id To Use with more than 2 characters

It can also be configured with casc using:

credentials:
  system:
    domainCredentials:
      - credentials:
        - aws:
            iamRoleArn: "arn:aws:iam::xxxxxxx"
            iamExternalId: "something with more than 2 characters"
            description: "description"
            id: "id you choose"
            scope: you choose can be GLOBAL for example

Thanks

jtnord commented 2 years ago

Try https://ci.jenkins.io/job/Plugins/job/aws-credentials-plugin/job/PR-125/1/artifact/org/jenkins-ci/plugins/aws-credentials/1.34-rc181.b8986bf42f7e/aws-credentials-1.34-rc181.b8986bf42f7e.hpi and see if it resolves the issue for you

webminster commented 2 years ago

This didn't seem to work for me... I uploaded this version and restarted, and got a large traceback:

2022-02-04 19:44:21.312+0000 [id=30] SEVERE jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init java.lang.NullPointerException at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.createAssumeRoleRequest(AWSCredentialsImpl.java:232) at com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:158) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1266) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:842) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:792) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:779) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:753) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:713) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:695) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:559) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:539) at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.doInvoke(AmazonAutoScalingClient.java:4931) at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.invoke(AmazonAutoScalingClient.java:4898) at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.invoke(AmazonAutoScalingClient.java:4887) at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.executeDescribeAutoScalingGroups(AmazonAutoScalingClient.java:1847) at com.amazonaws.services.autoscaling.AmazonAutoScalingClient.describeAutoScalingGroups(AmazonAutoScalingClient.java:1815) at com.amazon.jenkins.ec2fleet.fleet.AutoScalingGroupFleet.getState(AutoScalingGroupFleet.java:78) at com.amazon.jenkins.ec2fleet.EC2FleetCloud.(EC2FleetCloud.java:221) Caused: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:173) Caused: io.jenkins.plugins.casc.ConfiguratorException: eC2Fleet: Failed to construct instance of class com.amazon.jenkins.ec2fleet.EC2FleetCloud. Constructor: public com.amazon.jenkins.ec2fleet.EC2FleetCloud(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,hudson.slaves.ComputerConnector,boolean,boolean,java.lang.Integer,int,int,int,int,boolean,boolean,java.lang.String,boolean,java.lang.Integer,java.lang.Integer,boolean,java.lang.Integer,boolean). Arguments: [java.lang.String, null, java.lang.String, null, java.lang.String, null, java.lang.String, java.lang.String, null, hudson.plugins.sshslaves.SSHConnector, java.lang.Boolean, java.lang.Boolean, java.lang.Integer, java.lang.Integer, java.lang.Integer, java.lang.Integer, java.lang.Integer, java.lang.Boolean, java.lang.Boolean, null, java.lang.Boolean, java.lang.Integer, java.lang.Integer, java.lang.Boolean, java.lang.Integer, java.lang.Boolean]. Expected Parameters: name java.lang.String, oldId java.lang.String, awsCredentialsId java.lang.String, credentialsId java.lang.String, region java.lang.String, endpoint java.lang.String, fleet java.lang.String, labelString java.lang.String, fsRoot java.lang.String, computerConnector hudson.slaves.ComputerConnector, privateIpUsed boolean, alwaysReconnect boolean, idleMinutes java.lang.Integer, minSize int, maxSize int, minSpareSize int, numExecutors int, addNodeOnlyIfRunning boolean, restrictUsage boolean, maxTotalUses java.lang.String, disableTaskResubmit boolean, initOnlineTimeoutSec java.lang.Integer, initOnlineCheckIntervalSec java.lang.Integer, scaleExecutorsByWeight boolean, cloudStatusIntervalSec java.lang.Integer, noDelayProvision boolean

jtnord commented 2 years ago

This didn't seem to work for me... I uploaded this version and restarted, and got a large traceback:

the next build should be better. should be in https://ci.jenkins.io/job/Plugins/job/aws-credentials-plugin/job/PR-125/2/ under artifacts when the build completes

webminster commented 2 years ago

This version (aws-credentials-1.34-rc182.5fcd8bb8776d.hpi) is definitely better, doesn't choke on the Jenkins restart. Seems at the moment to work as expected. Thanks for working on this!

jenkinsci / aws-credentials-plugin