search

jenkinsci / aws-secrets-manager-credentials-provider-plugin

AWS Secrets Manager Credentials Provider for Jenkins
https://plugins.jenkins.io/aws-secrets-manager-credentials-provider/
MIT License
65 stars 43 forks source link

region configuration option not respected #326

Closed emilioziniades closed 3 months ago

emilioziniades commented 3 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.452.2 OS: Linux - 5.14.0-427.22.1.el9_4.x86_64 Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.113.v81215a_241826 aws-java-sdk-minimal:1.12.730-457.v3403b_37d2170 aws-java-sdk-secretsmanager:1.12.730-457.v3403b_37d2170 aws-secrets-manager-credentials-provider:1.214.va_0a_d8268d068 azure-ad:484.v5fd019a_39b_18 azure-sdk:174.va_89c1df897d2 bitbucket:241.v6d24a_57f9359 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_ branch-api:2.1169.va_f810c56e895 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-bitbucket-branch-source:883.v041fa_695e9c2 cloudbees-folder:6.928.v7c780211d66e command-launcher:107.v773860566e2e commons-compress-api:1.26.1-2 commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d configuration-as-code:1810.v9b_c30a_249a_4c configuration-as-code-groovy:1.1 credentials:1337.v60b_d7b_c7b_c9f credentials-binding:677.vdc9d38cb_254d display-url-api:2.204.vf6fddd8a_8b_e9 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e font-awesome-api:6.5.2-1 git:5.2.2 git-client:5.0.0 gson-api:2.11.0-41.v019fcf6125dc handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 junit:1265.v65b_14fa_f12f0 kubernetes:4246.v5a_12b_1fe120e kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 mercurial:1260.vdfb_723cdcc81 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.12.1-113.v4d3ea_5eb_7f72 mina-sshd-api-core:2.12.1-113.v4d3ea_5eb_7f72 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:304.va_f2a_16b_e4964 pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:182.v468b_97b_9dcb_8 plugin-util-api:4.1.0 prism-api:1.29.0-15 purge-build-queue-plugin:88.v23b_97b_f2c7a_d resource-disposer:0.23 scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 snakeyaml-api:2.2-111.vc6598e30cc65 ssh-credentials:337.v395d2403ccd4 sshd:3.322.v159e91f6a_550 structs:337.v1b_04ea_4df7c8 timestamper:1.27 trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd workflow-api:1316.v33eb_726c50b_a_ workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3903.v48a_8836749e9 workflow-durable-task-step:1353.v1891a_b_01da_18 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.787.v50539468395f workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:907.v6713a_ed8a_573 ws-cleanup:0.46 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux, using jenkins-lts container image

Reproduction steps

This is a jenkins server running inside an on-premises kubernetes cluster.

I have an unclassified.yml configuration file as follows (omitting sensitive or irrelevant data)

unclassified:
  awsCredentialsProvider:
    client:
      region: "eu-west-1"
      credentialsProvider:
        static:
          accessKey: "*****"   
          secretKey: "******"

The server fails to start up, here is an excerpt of the logs before it dies:

Server Logs ``` 2024-06-26 13:17:01.741+0000 [id=32] WARNING c.a.util.EC2MetadataUtils#getItems: Unable to retrieve the requested metadata (/latest/dynamic/instance-identity/document). Failed to connect to service endpoint: java.net.SocketTimeoutException: Connect timed out at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(Unknown Source) at java.base/sun.nio.ch.NioSocketImpl.connect(Unknown Source) at java.base/java.net.Socket.connect(Unknown Source) at java.base/sun.net.NetworkClient.doConnect(Unknown Source) at java.base/sun.net.www.http.HttpClient.openServer(Unknown Source) at java.base/sun.net.www.http.HttpClient.openServer(Unknown Source) at java.base/sun.net.www.http.HttpClient.(Unknown Source) at java.base/sun.net.www.http.HttpClient.New(Unknown Source) at java.base/sun.net.www.http.HttpClient.New(Unknown Source) at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source) at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source) at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at com.amazonaws.internal.ConnectionUtils.connectToEndpoint(ConnectionUtils.java:95) at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:85) Caused: com.amazonaws.SdkClientException: Failed to connect to service endpoint: at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:119) at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:70) at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.readResource(InstanceMetadataServiceResourceFetcher.java:90) at com.amazonaws.internal.EC2ResourceFetcher.readResource(EC2ResourceFetcher.java:66) at com.amazonaws.util.EC2MetadataUtils.getItems(EC2MetadataUtils.java:407) at com.amazonaws.util.EC2MetadataUtils.getData(EC2MetadataUtils.java:376) at com.amazonaws.util.EC2MetadataUtils.getData(EC2MetadataUtils.java:372) at com.amazonaws.util.EC2MetadataUtils.getEC2InstanceRegion(EC2MetadataUtils.java:287) at com.amazonaws.regions.InstanceMetadataRegionProvider.tryDetectRegion(InstanceMetadataRegionProvider.java:59) at com.amazonaws.regions.InstanceMetadataRegionProvider.getRegion(InstanceMetadataRegionProvider.java:50) at com.amazonaws.regions.AwsRegionProviderChain.getRegion(AwsRegionProviderChain.java:46) at com.amazonaws.client.builder.AwsClientBuilder.determineRegionFromRegionProvider(AwsClientBuilder.java:475) at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:458) at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:424) at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46) at io.jenkins.plugins.credentials.secretsmanager.config.Client.build(Client.java:131) at io.jenkins.plugins.credentials.secretsmanager.supplier.CredentialsSupplier.createClient(CredentialsSupplier.java:95) at io.jenkins.plugins.credentials.secretsmanager.supplier.CredentialsSupplier.get(CredentialsSupplier.java:45) at io.jenkins.plugins.credentials.secretsmanager.supplier.CredentialsSupplier.get(CredentialsSupplier.java:22) at io.jenkins.plugins.credentials.secretsmanager.CustomSuppliers$ExpiringMemoizingSupplier.get(CustomSuppliers.java:58) at io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider.getCredentials(AwsCredentialsProvider.java:47) at com.cloudbees.plugins.credentials.CredentialsProvider.getCredentialsInItemGroup(CredentialsProvider.java:1194) at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentialsInItemGroup(CredentialsProvider.java:389) at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentialsInItem(CredentialsProvider.java:544) at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:517) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketCredentials.lookupCredentials(BitbucketCredentials.java:63) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.credentials(BitbucketSCMSource.java:1075) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.authenticator(BitbucketSCMSource.java:1085) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.buildBitbucketClient(BitbucketSCMSource.java:554) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.buildBitbucketClient(BitbucketSCMSource.java:546) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.getRepositoryType(BitbucketSCMSource.java:535) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.afterSave(BitbucketSCMSource.java:560) at jenkins.branch.MultiBranchProject.fireSCMSourceAfterSave(MultiBranchProject.java:932) at jenkins.branch.MultiBranchProject.onLoad(MultiBranchProject.java:248) at org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject.onLoad(WorkflowMultiBranchProject.java:85) at hudson.model.Items.load(Items.java:376) at hudson.model.ItemGroupMixIn$2.call(ItemGroupMixIn.java:284) at hudson.model.ItemGroupMixIn$2.call(ItemGroupMixIn.java:282) at hudson.model.Items.whileUpdatingByXml(Items.java:132) at hudson.model.ItemGroupMixIn.createProjectFromXML(ItemGroupMixIn.java:282) at jenkins.model.Jenkins.createProjectFromXML(Jenkins.java:4291) at jenkins.model.ModifiableTopLevelItemGroup$createProjectFromXML.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:136) at Configuration-as-Code-Groovy.run(Configuration-as-Code-Groovy:41) at groovy.lang.GroovyShell.runScriptOrMainOrTestOrRunnable(GroovyShell.java:263) at groovy.lang.GroovyShell.run(GroovyShell.java:507) at groovy.lang.GroovyShell.run(GroovyShell.java:486) at groovy.lang.GroovyShell.run(GroovyShell.java:171) at io.jenkins.plugins.cascgroovy.GroovyScriptCaller.configure(GroovyScriptCaller.java:83) at io.jenkins.plugins.cascgroovy.GroovyScriptCaller.configure(GroovyScriptCaller.java:33) at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$configureWith$7(ConfigurationAsCode.java:823) at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:773) at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:823) at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:695) at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:352) at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:341) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109) at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305) at jenkins.model.Jenkins$5.runTask(Jenkins.java:1175) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:221) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:120) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) 2024-06-26 13:17:01.742+0000 [id=32] WARNING i.j.p.c.s.AwsCredentialsProvider#getCredentials: Could not list credentials in Secrets Manager: message=[Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.] ```

Expected Results

The region is parsed from the plugin configuration.

Actual Results

The region is not discovered via the plugin configuration, and it falls back to using ec2 metadata to determine the region, but it is not running in AWS

Anything else?

No response

Are you interested in contributing a fix?

Yes, but I have limited java experience.

emilioziniades commented 3 months ago

To add more context, I am using the the jenkins configuration as code plugin (https://github.com/jenkinsci/configuration-as-code-plugin) and the groovy configuration as code plugin (https://github.com/jenkinsci/configuration-as-code-groovy-plugin).

The above errors are during setup, when a groovy script runs and tries to access AWS credentials.

emilioziniades commented 3 months ago

Closing this issue. I don't think it was this plugin that was misbehaving in isolation. The issue was simply accessing credentials in the setup.groovy script, which I'm guessing is out of scope for this plugin.