search

jenkinsci / jobcacher-plugin

Jenkins plugin that improves build performance for transient agents by caching files
https://plugins.jenkins.io/jobcacher/
MIT License
33 stars 34 forks source link

AWS Role not honor for uploading cache #354

Open ayozehd opened 1 month ago

ayozehd commented 1 month ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.462.2 OS: Linux - 5.10.225-213.878.amzn2.x86_64 Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- ace-editor:1.1 allure-jenkins-plugin:2.31.1 ant:511.v0a_a_1a_334f41b_ antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.4-118.v199115451c4d asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.119.v50285141b_7e1 aws-credentials:231.v08a_59f17d742 aws-java-sdk:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-api-gateway:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-autoscaling:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-cloudformation:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-cloudfront:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-codebuild:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-codedeploy:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-ec2:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-ecr:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-ecs:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-efs:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-elasticbeanstalk:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-elasticloadbalancingv2:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-iam:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-kinesis:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-lambda:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-logs:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-minimal:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-organizations:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-secretsmanager:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-sns:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-sqs:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-ssm:1.12.767-467.vb_e93f0c614b_6 blueocean:1.27.16 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.16 blueocean-commons:1.27.16 blueocean-config:1.27.16 blueocean-core-js:1.27.16 blueocean-dashboard:1.27.16 blueocean-display-url:2.4.3 blueocean-events:1.27.16 blueocean-git-pipeline:1.27.16 blueocean-github-pipeline:1.27.16 blueocean-i18n:1.27.16 blueocean-jwt:1.27.16 blueocean-personalization:1.27.16 blueocean-pipeline-api-impl:1.27.16 blueocean-pipeline-editor:1.27.16 blueocean-pipeline-scm-api:1.27.16 blueocean-rest:1.27.16 blueocean-rest-impl:1.27.16 blueocean-web:1.27.16 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1178.v969d9eb_c728e build-name-setter:2.4.3 build-timeout:1.33 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.1 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:888.v8e6d479a_1730 cloudbees-folder:6.951.v5f91d88d76b_b_ command-launcher:115.vd8b_301cc15d0 commons-lang3-api:3.17.0-84.vb_b_938040b_078 commons-text-api:1.12.0-129.v99a_50df237f7 config-file-provider:978.v8e85886ffdc4 configuration-as-code:1849.v3a_d20568000a_ copyartifact:749.vfb_dca_a_9b_6549 credentials:1378.v81ef4269d764 credentials-binding:681.vf91669a_32e45 declarative-pipeline-migration-assistant:1.6.4 declarative-pipeline-migration-assistant-api:1.6.4 display-url-api:2.204.vf6fddd8a_8b_e9 docker-commons:443.v921729d5611d docker-java-api:3.3.6-90.ve7c5c7535ddd docker-plugin:1.6.2 durable-task:577.v2a_8a_4b_7c0247 ec2:1688.v8c07e01d657f echarts-api:5.5.1-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 envinject:2.919.v009a_a_1067cd0 envinject-api:1.199.v3ce31253ed13 favorite:2.221.v19ca_666b_62f5 font-awesome-api:6.6.0-2 ghprb:1.42.2 git:5.4.1 git-client:5.0.0 git-parameter:0.9.19 github:1.40.0 github-api:1.321-468.v6a_9f5f2d5a_7e github-branch-source:1797.v86fdb_4d57d43 github-oauth:597.ve0c3480fcb_d0 gradle:2.13 gson-api:2.11.0-41.v019fcf6125dc handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.36 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:280.v050b_5c849f69 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:80.v8a_dee33ed6f0 jenkins-design-language:1.27.16 jjwt-api:0.11.5-112.ve82dfb_224b_a_d jobConfigHistory:1241.v07634fa_18896 jobcacher:551.ve0b_00cb_1b_85c joda-time-api:2.13.0-85.vb_64d1c2921f1 jquery:1.12.4-1 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1296.vb_f538b_c88630 ldap:725.v3cb_b_711b_1a_ef mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 maven-plugin:3.23 mina-sshd-api-common:2.13.2-125.v200281b_61d59 mina-sshd-api-core:2.13.2-125.v200281b_61d59 momentjs:1.1.1 next-build-number:1.8 node-iterator-api:55.v3b_77d4032326 nodejs:1.6.2 npm-yarn-wrapper-steps:0.4.0 okhttp-api:4.11.0-172.vda_da_1feeb_c6e parameterized-trigger:806.vf6fff3e28c3e pipeline-aws:1.45 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:730.ve57b_34648c63 pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83 pipeline-stage-view:2.34 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 popper2-api:2.11.6-5 postbuild-task:1.9 prism-api:1.29.0-17 pubsub-light:1.18 rebuild:332.va_1ee476d8f6d resource-disposer:0.23 role-strategy:743.v142ea_b_d5f1d3 s3:483.vcb_db_3dcee68f scm-api:696.v778d637b_a_762 script-security:1362.v67dc1f0e1b_b_3 snakeyaml-api:2.3-123.v13484c65210a_ sonar:2.17.2 sse-gateway:1.27 ssh-credentials:343.v884f71d78167 ssh-slaves:2.973.v0fa_8c0dea_f9f sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd workflow-aggregator:600.vb_57cdd26fdd7 workflow-api:1336.vee415d95c521 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3964.v0767b_4b_a_0b_fa_ workflow-durable-task-step:1371.vb_7cec8f3b_95e workflow-job:1436.vfa_244484591f workflow-multibranch:795.ve0cb_1f45ca_9a_ workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:926.v9f4f9b_b_98c19 ws-cleanup:0.46 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

AL2023

Reproduction steps

  1. Plugin configuration credentials: "None"
  2. Storage implementation: Amazon S3
  3. Create IAM Role for S3 bucket
  4. Cache pulling works as intended
  5. Cache pushing fails: Access Denied 403

Expected Results

Honor AWS Role for cache pulling and pushing to S3.

Actual Results

13:58:53 [Cache for /home/ec2-user/.m2/repository with id ae2b6542c5ed17253d0dab7d23d110e1] Searching cache in job specific caches...
13:58:53 [Cache for /home/ec2-user/.m2/repository with id ae2b6542c5ed17253d0dab7d23d110e1] Searching cache in default caches...
13:58:53 [Cache for /home/ec2-user/.m2/repository with id ae2b6542c5ed17253d0dab7d23d110e1] Skip restoring cache as no up-to-date cache exists
...
14:05:17 [Cache for /home/ec2-user/.m2/repository with id ae2b6542c5ed17253d0dab7d23d110e1] Failed to create cache
14:05:17 com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ZBS42JFYT3CF33NR; S3 Extended Request ID: N4390caJo7Q1YUT88aXxXF15kMRN1SN/1dtlfas7uCDmcBCXzCEvB88CJeUAT+WsIKNjEvDZHi7UM0s8QCFeOw==; Proxy: null), S3 Extended Request ID: N4390caJo7Q1YUT88aXxXF15kMRN1SN/1dtlfas7uCDmcBCXzCEvB88CJeUAT+WsIKNjEvDZHi7UM0s8QCFeOw==
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1880)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5558)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5505)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.access$300(AmazonS3Client.java:423)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client$PutObjectStrategy.invokeServiceCall(AmazonS3Client.java:6639)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.uploadObject(AmazonS3Client.java:1892)
14:05:17    at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1852)
14:05:17    at PluginClassLoader for jobcacher//jenkins.plugins.itemstorage.s3.S3UploadCallable.invoke(S3UploadCallable.java:56)
14:05:17    at PluginClassLoader for jobcacher//jenkins.plugins.itemstorage.s3.S3UploadCallable.invoke(S3UploadCallable.java:35)
14:05:17    at PluginClassLoader for jobcacher//jenkins.plugins.itemstorage.s3.S3Callable.invoke(S3Callable.java:60)
14:05:17    at PluginClassLoader for jobcacher//jenkins.plugins.itemstorage.s3.S3BaseUploadCallable.invoke(S3BaseUploadCallable.java:44)
14:05:17    at Jenkins v2.462.2//hudson.FilePath$FileCallableWrapper.call(FilePath.java:3615)
14:05:17    at hudson.remoting.UserRequest.perform(UserRequest.java:211)
14:05:17    at hudson.remoting.UserRequest.perform(UserRequest.java:54)
14:05:17    at hudson.remoting.Request$2.run(Request.java:377)
14:05:17    at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
14:05:17    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
14:05:17    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
14:05:17    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
14:05:17    at java.base/java.lang.Thread.run(Thread.java:840)
14:05:17    Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to EC2 (EC2) - Standard (t3.large) (i-03a4ec0096a5c1bf1)
14:05:17        at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1826)
14:05:17        at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
14:05:17        at hudson.remoting.Channel.call(Channel.java:1042)
14:05:17        at hudson.FilePath.act(FilePath.java:1229)
14:05:17        at hudson.FilePath.act(FilePath.java:1218)
14:05:17        at PluginClassLoader for jobcacher//jenkins.plugins.itemstorage.s3.S3Profile.upload(S3Profile.java:72)
14:05:17        at PluginClassLoader for jobcacher//jenkins.plugins.itemstorage.s3.S3ObjectPath.copyFrom(S3ObjectPath.java:70)
14:05:17        at PluginClassLoader for jobcacher//jenkins.plugins.jobcacher.arbitrary.AbstractCompressingArbitraryFileCacheStrategy.cache(AbstractCompressingArbitraryFileCacheStrategy.java:20)
14:05:17        at PluginClassLoader for jobcacher//jenkins.plugins.jobcacher.ArbitraryFileCache$SaverImpl.save(ArbitraryFileCache.java:404)
14:05:17        at PluginClassLoader for jobcacher//jenkins.plugins.jobcacher.CacheManager.save(CacheManager.java:98)
14:05:17        at PluginClassLoader for jobcacher//jenkins.plugins.jobcacher.CacheWrapper$CacheDisposer.tearDown(CacheWrapper.java:185)
14:05:17        at jenkins.tasks.SimpleBuildWrapper$EnvironmentWrapper.tearDown(SimpleBuildWrapper.java:326)
14:05:17        at PluginClassLoader for maven-plugin//hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:906)
14:05:17        at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:526)
14:05:17        at hudson.model.Run.execute(Run.java:1894)
14:05:17        at PluginClassLoader for maven-plugin//hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
14:05:17        at hudson.model.ResourceController.execute(ResourceController.java:101)
14:05:17        at hudson.model.Executor.run(Executor.java:446)

Anything else?

Using access key and secret value the cache uploading to S3 work as expected. I granted exactly the same permissions to IAM user than I was using with IAM Role.

Are you interested in contributing a fix?

No response