Closed chrisLeeTW closed 6 years ago
This is the intended behavior of the plugin. See https://issues.jenkins-ci.org/browse/JENKINS-44000
So, I understand that this is the original intended behavior, but is there any reason we can't add a parameter to allow the plugin to evaluate this on the slave? This approach is a non-starter for organizations that have an on-prem Jenkins master w/ slaves in AWS (in addition to on-prem slaves).
Main thing is, there is no "easy" way to execute code on the agent. Only file operations are executed on agents. The plugin development documentation is very scarce on agent execution.
Whether or not this is the "intended behavior", you should absolutely consider changing it - right now, the plugin won't work at all for certain use cases.
In our case, we have an ECS cluster for Jenkins and different roles for Master and Agent tasks. We assign the roles to the agents as a security best practice to reduce blast radius in the event of a worm compromising the Jenkins master - having master able to have VERY high permissions to our AWS accounts (for Continuous Deployment/etc) isn't needed - only the agents should have that level of access.
I'm already running aws commands, even shell commands to the AWS CLI, on the agent and with the appropriate role in the same account, and those agents have a different role than the master. Whether or not it's hard to do, I don't feel as though this task should be closed. I can already 'sh script: aws assume-role' on the agents.
Maybe someone else in the Jenkins team is able to help with the best practices/documentation on how to do this?
@hoegertn I might be getting something wrong, but I guess all it would take to capture instance profile of the agent rather than master, would be to use AWSClientFactory
not from within class extending StepExecution
(which runs on master) as it is now, but from a subclass of MasterToSlaveFileCallable
(which runs on slave).
@hoegertn or anyone else on the dev team that can respond, Can we please re-open this issue, since it definitely used the master profile rather than the slave the job is running on? Or is this a more appropriate way to request this be fixed?
I'm open to merging a pull request implementing another behavior, but there is no planned implementation on my side.
@hoegertn I might be getting something wrong, but I guess all it would take to capture instance profile of the agent rather than master, would be to use
AWSClientFactory
not from within class extendingStepExecution
(which runs on master) as it is now, but from a subclass ofMasterToSlaveFileCallable
(which runs on slave).
I have experimented with extending MasterToSlaveFileCallable
to pass back a Serialized version of AWSCredentialsProvider
.
Interested in any thoughts around this approach. I plan on continuing to poke around with this.
If it works I am happy to accept a PR. Please make sure it is an optional implementation to not break the existing behavior
jenkins version : 2.109 plugin version : 1.24
I found that withAWS step always use master's instance profile security token when build job is running on slave.
here is my pipeline code
here is console log