search

riboseinc / aws-codecommit-trigger-plugin

Jenkins plugin for triggering jobs with AWS CodeCommit repo updates
https://www.ribose.com
Apache License 2.0
22 stars 29 forks source link

check existing IAM role permissions rather than enforcing the use of an AWS key ID and secret #51

Open luisamador opened 6 years ago

luisamador commented 6 years ago

I have a Jenkins EC2 instance with an IAM role attached to it that has full SQS access. However the CodeCommit Trigger Plugin is forcing me to specify an AWS Key ID and Secret to authenticate against the AWS SQS that I set up. It would be nice if the plugin could somehow check the existing IAM role permissions rather than forcing me to use an AWS key ID and secret when the actual instance already has permissions to access SQS.

image

ronaldtse commented 6 years ago

@luisamador thanks for the post! Just to clarify that in your case, the Jenkins EC2 master instance itself has the IAM role attached with full access to SQS.

While for the Jenkins master we could detect if the instance has access to an SQS queue (it also depends on which SQS queues it may eventually use), but as you might be aware of, jobs (and this plugin) can also be performed on Jenkins slaves.

There are two types of slaves, (1) ones launched by Jenkins and therefore configurable by Jenkins (2) ones launched separately from Jenkins. For the first type, we could ensure that they are launched with a proper role. But for the second type, it is difficult to do so.

@phuonghuynh is this correct or is there anything we can do here?

luisamador commented 6 years ago

@ronaldtse In my case there aren't any Jenkins slaves involved. Thank you.

On Tue, 3 Apr 2018, 23:57 Ronald Tse, notifications@github.com wrote:

@luisamador https://github.com/luisamador thanks for the post! Just to clarify that in your case, the Jenkins EC2 master instance itself has the IAM role attached with full access to SQS. While for the Jenkins master we could detect if the instance has access to an SQS queue (it also depends on which SQS queues it may eventually use), but as you might be aware of, jobs (and this plugin) can also be performed on Jenkins slaves.

There are two types of slaves, (1) ones launched by Jenkins and therefore configurable by Jenkins (2) ones launched separately from Jenkins. For the first type, we could ensure that they are launched with a proper role. But for the second type, it is difficult to do so.

@phuonghuynh https://github.com/phuonghuynh is this correct or is there anything we can do here?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/riboseinc/aws-codecommit-trigger-plugin/issues/51#issuecomment-378425481, or mute the thread https://github.com/notifications/unsubscribe-auth/ARXWjGFAnZOMOYoNAsw3cdBZBP3YAIQ_ks5tk_5QgaJpZM4TFx-l .

phuonghuynh commented 6 years ago

@luisamador thanks for your great suggestion, label "enhancement" added and this issue will be resolved soon.