AWS Credentials plugin allows you to identify credentials or a role to assume and store them in Jenkins Credentials.
In the ec2-fleet-plugin < 3.10.0, you can set a role in Credentials (utilizing AWS Credentials plugin). Specify these credentials for the ec2 fleet and the plugin will assume the correct role.
In 3.10.0, the plugin does not recognize IAM roles to be assumed in the credentials and will fail with permission errors.
Example:
Account A runs jenkins with an instance role that permits 'assumerole' to Account B credentials.
Jenkins Credentials are configured to identify Account B role and ec2 fleet plugin set to use this credential.
In 3.10.0, when this is done, the plugin tries to use the account A instance role (i.e. no assumerole is run)
In =<3.0.2, when this is done, the plugin assumes Account B role and works correctly
Downgrading to 3.0.2 fixes the issue. Upgrading to 3.10.0 breaks it immediately.
To Reproduce
utilize AWS Roles in Credentials
upgrade to 3.10.0
attempt to access asg via role credentials
etc.
Environment Details
Plugin Version?
3.10.0
Jenkins Version?
2.430
Spot Fleet or ASG?
ASG
Label based fleet?
<Yes/No>
Linux or Windows?
Linux
EC2Fleet Configuration as Code Paste only eC2Fleet part from plugin configuration. Mask all security concerning details. You can download it from Manage Jenkins > Configuration as Code > Download Configuration
Issue Details
AWS Credentials plugin allows you to identify credentials or a role to assume and store them in Jenkins Credentials. In the ec2-fleet-plugin < 3.10.0, you can set a role in Credentials (utilizing AWS Credentials plugin). Specify these credentials for the ec2 fleet and the plugin will assume the correct role.
In 3.10.0, the plugin does not recognize IAM roles to be assumed in the credentials and will fail with permission errors.
Example: Account A runs jenkins with an instance role that permits 'assumerole' to Account B credentials. Jenkins Credentials are configured to identify Account B role and ec2 fleet plugin set to use this credential. In 3.10.0, when this is done, the plugin tries to use the account A instance role (i.e. no assumerole is run) In =<3.0.2, when this is done, the plugin assumes Account B role and works correctly
Downgrading to 3.0.2 fixes the issue. Upgrading to 3.10.0 breaks it immediately.
To Reproduce
Environment Details
Plugin Version? 3.10.0
Jenkins Version? 2.430
Spot Fleet or ASG? ASG
Label based fleet? <Yes/No>
Linux or Windows? Linux
EC2Fleet Configuration as Code
Paste only eC2Fleet part from plugin configuration. Mask all security concerning details. You can download it from Manage Jenkins > Configuration as Code > Download ConfigurationAnything else unique about your setup? No