chriskilding
commented
1 year ago You might be able to solve this with AWS Profiles...
This is described in more detail in the Assume role with profile section of https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_profiles.html
Essentially, one part of it would be to put the following in your ~/.aws/credentials file on the Jenkins box:
[default]
aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID
aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY
[project1]
role_arn = <your IAM role ARN>
source_profile = default
role_session_name = <OPTIONAL_SESSION_NAME>And then tell Jenkins to use the role ARN profile by passing an environment variable like AWS_PROFILE to the Jenkins process; that would be AWS_PROFILE=project1 for the example above.
This example needs tweaking because it is designed for a human IAM user authenticating from their laptop. In your case, Jenkins is authenticating with EC2 instance profiles instead of the AWS access key pair, so you'll need to modify the [default] section to suit your use case. Off the top of my head I don't know exactly what you would put in there, but I'm hoping AWS has something for it.
Let me know if this works for you and how far you get. If it doesn't work then we can revisit.
What feature do you want to see added?
When we use this plugin in our environment, plugin's requests are coming as the role the EC2 node has assumed. We need to be able to assume a specific role for this, rather than exposing secrets to all nodes which have that node role. The aws-secrets-manager-credentials-provider plugin allows for a role to be assumed.
Upstream changes
No response