search

jenkinsci / aws-secrets-manager-credentials-provider-plugin

AWS Secrets Manager Credentials Provider for Jenkins
https://plugins.jenkins.io/aws-secrets-manager-credentials-provider/
MIT License
65 stars 43 forks source link

"Could not list credentials in Secrets Manager" #324

Open tgooderham opened 4 months ago

tgooderham commented 4 months ago

Jenkins and plugins versions report

Environment ```text Paste the output here ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins controller 2.440.3.7 running on CentOS 7.8.2003 x86_64 AWS Secrets Manager Credentials Provider Version1.214.va_0a_d8268d068

Reproduction steps

Installed plugin: AWS Secrets Manager Credentials Provider Version1.214.va_0a_d8268d068

According to the docs, the default configuration should provide authentication to AWS via the instance profile if the server is within EC2 which it is.

The attached instance profile name is: role-deployment-automation-within-ec2

The policy on that profile is:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:331560656580:key/20c8ca2e-6073-4aa0-8e2d-65ea10f8a9bc"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:ListSecrets",
                "secretsmanager:DescribeSecret",
                "kms:ListAliases"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecrets",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "*"
        }
    ]
}

Expected Results

AWS Secrets appear in jenkins credential store

Actual Results

Repeated occurrances of:

May 30, 2024 8:42:40 AM WARNING io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider getCredentials Could not list credentials in Secrets Manager: message=[Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: You must specify a value for roleArn and roleSessionName, com.amazonaws.auth.profile.ProfileCredentialsProvider@9279de4: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@22deced1: Unable to load credentials. Access key or secret key are null.]]

Anything else?

No response

Are you interested in contributing a fix?

No response

chriskilding commented 4 months ago

For what it's worth, I noticed there is no Sid on the relevant policy stanza that the Jenkins plugin would use, i.e. this bit

        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecrets",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "*"
        }

Just in case the absence of a Sid causes that policy stanza to be read as invalid (and therefore ignored by IAM), could you try adding a Sid to it, and re-running your test scenario to see if the error still happens?

tgooderham commented 4 months ago

Hey Chris, Yes.... I removed it to see if that might've been the cause. Seems not

On Thu, May 30, 2024 at 4:18 PM Chris Kilding @.***> wrote:

For what it's worth, I noticed there is no Sid on the relevant policy stanza that the Jenkins plugin would use, i.e. this bit

    {
        "Effect": "Allow",
        "Action": [
            "secretsmanager:GetSecretValue",
            "secretsmanager:ListSecrets",
            "secretsmanager:DescribeSecret"
        ],
        "Resource": "*"
    }

Just in case the absence of a Sid causes that policy stanza to be read as invalid (and therefore ignored by IAM), could you try adding a Sid to it, and re-running your test scenario to see if the error still happens?

— Reply to this email directly, view it on GitHub https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/issues/324#issuecomment-2140880808, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANF2ZOQMWB4QMTXBMCUKW3ZE6JUBAVCNFSM6AAAAABIRBBKC6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBQHA4DAOBQHA . You are receiving this because you authored the thread.Message ID: <jenkinsci/aws-secrets-manager-credentials-provider-plugin/issues/324/2140880808 @github.com>