Pipeline-aws-plugin is pulling the latest version of aws-java-sdk:1.12.69 which seems to be breaking aws assumeRole

[toddatapiture]

Version report

Jenkins and plugins versions report:

Jenkins version: 2.289.3 - Plugin versions: pipeline-aws:1.0 -> latest

• What Operating System are you using (both controller, and any agents involved in the problem)?

AWS EC2 Linux/UNIX

Reproduction steps

We believe the plugin is pulling the latest release of aws-java-sdk:1.12.69 (https://plugins.jenkins.io/aws-java-sdk/#releases). This seems to be breaking our current Jenkins pipelines that are using `withAWS`. 
Here is an example:

withAWS(role: "${env.AWS_ENV_ROLE}", roleAccount: "${env.AWS_ENV_ACCOUNT_ID}", region: "${env.AWS_ENV_REGION}") {
 some logic here
}

### Results

Expected result:

Assume AWS Role 

Actual result:

 com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/platform-services-eks-nodes-NodeInstanceRole-xxxxxxxxxxxxxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxxxx:role/ApitureInfrastructureServiceRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxxxxxxxxxx; Proxy: null)

[carlosgv87]

I have the same issue here.

Environment

Jenkins version: 2.452.3
Pipeline: AWS Steps Plugin version: 1.45

• What Operating System are you using (both controller, and any agents involved in the problem)?

  AWS EC2 Linux/UNIX

Steps to Reproduce

Jenkins agent pod template definition

---
apiVersion: v1
kind: Pod
metadata:
  namespace: jenkins-agents
spec:
  containers:
    - name: ami-builder
      image: private-docker-registry/ami-builder:0.0.1-snapshot
  imagePullSecrets:
    - name: secret-name
  serviceAccount: jenkins-agent-ami-builder
  serviceAccountName: jenkins-agent-ami-builder

The ServiceAccount present on the namespace:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: jenkins-agent-ami-builder
  namespace: jenkins-agents

And finally in AWS we have:

• An IAM Role xxxxxxxxxxxx with the following attached IAM Policy:

  {
  "Statement": [
      {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Resource": [
              "arn:aws:iam::YYYYYYYYYYYY:role/RoleNameFromYYYYYYYYYYYY"
          ],
          "Sid": "AssumeRole"
      }
  ],
  "Version": "2012-10-17"
  }

• And also on the EKS we have created the Pod Identity association which link the IAM Role arn:aws:iam::xxxxxxxxxxxx:role/RoleName with ServiceAccount (jenkins-agent-ami-builder) from the desired namespace jenkins-agents

Error

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/worker-main-az-eks-node-group-zzzzzzzzzzzzzzzzz is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyyyyy:role/RoleName (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaaaaaaaaaaaaaaaa; Proxy: null)