[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title John La Barge edited a comment on JENKINS-38220 Re: Support for EC2 instance profile credentials I'v noticed that there is a checkbox that is labeled as "Use EC2 instance profile to obtain credentials" but even if it's checked, if no private key is supplied it throws a NPE. This seems incorrect or at least confusing to me. Instead I'd propose that if that box is checked, no private key is required. There are essentially two steps to getting the agent: 1) provisioning the ec2 instance - for which the instance credentials can be used and 2) connecting to the agent. If this is required to connect to the agent, that can be internalized instead with a temporary ssh key. So in that case I would remove the logic that seeks to use the supplied private key and instead generate a key and use it silently. Thoughts (before I start implementing the PR) ? Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.174381.1473894967000.14157.1587405900278%40Atlassian.JIRA.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title John La Barge edited a comment on JENKINS-38220 Re: Support for EC2 instance profile credentials I'v noticed that there is a checkbox that is labeled as "Use EC2 instance profile to obtain credentials" but even if it's checked, if no private key is supplied it throws a NPE. This seems incorrect or at least confusing to me. Instead I'd propose that if that box is checked, no private key is required. If this is required to connect to the agent, that can be internalized instead with a temporary ssh key. So in that case I would remove the logic that seeks to use the supplied private key and instead generate a key and use it silently. Thoughts (before I start implementing the PR) ? Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.174381.1473894967000.14155.1587405600662%40Atlassian.JIRA.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title John La Barge commented on JENKINS-38220 Re: Support for EC2 instance profile credentials I'v noticed that there is a checkbox that is labeled as "Use EC2 instance profile to obtain credentials" but even if it's checked, if no private key is supplied it throws a NPE. This seems incorrect or at least confusing to me. Instead I'd propose that if that box is checked, no private key is required. If this is required to connect to the agent, that can be internalized instead with a temporary ssh key. So in that case I would remove the logic that seeks to use the supplied private key and instead generate a key and use it silently. Thoughts? Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.174381.1473894967000.14139.1587405540305%40Atlassian.JIRA.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title Oleksandr Shmyrko updated an issue Jenkins / JENKINS-38220 Support for EC2 instance profile credentials Change By: Oleksandr Shmyrko Priority: Minor Major Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.174381.1473894967000.13549.1587215280643%40Atlassian.JIRA.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title John La Barge commented on JENKINS-38220 Re: Support for EC2 instance profile credentials Need this as well. Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.174381.1473894967000.13487.1587178140353%40Atlassian.JIRA.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title Oleksandr Shmyrko commented on JENKINS-38220 Re: Support for EC2 instance profile credentials Kurt Madel, that solution still requires IAM role to be specified in Jenkins AWS credentials. EC2 instance profile policy should allow to assume IAM role (Action: sts:AssumeRole). So the idea is to use temporary IAM instance profile credentials directly without assuming IAM role. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.174381.1473894967000.6522.1580127300346%40Atlassian.JIRA.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title Nicolas De Loof assigned an issue to Unassigned Jenkins / JENKINS-38220 Support for EC2 instance profile credentials Change By: Nicolas De Loof Assignee: Nicolas De Loof Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title Kurt Madel commented on JENKINS-38220 Re: Support for EC2 instance profile credentials This should have been resolved with https://github.com/jenkinsci/aws-credentials-plugin/pull/20 - fixed since version 1.22 Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-38220) Support for EC2 instance profile credentials
Title: Message Title
Ben Walding created an issue
Jenkins / JENKINS-38220
Support for EC2 instance profile credentials
Issue Type:
Improvement
Assignee:
Nicolas De Loof
Components:
aws-credentials-plugin
Created:
2016/Sep/14 11:16 PM
Priority:
Minor
Reporter:
Ben Walding
In our AWS environment we avoid using static AWS credentials (i.e. AWS Access Key ID and AWS Secret Access Key) - instead we use ephemeral credentials that are supplied using the Amazon IAM/STS system. i.e. The use of static AWS credentials is not possible in our environment - we need to dynamically acquire credentials on the master / slave to. These credentials are then used to switch roles per our IAM configuration. Once the credentials are acquired, we use those credentials (Access Key ID, Secret Access Key, Session Token) to perform AWS actions as normal. An example As a brief example (from a pipeline script)
env.AWS_ACCESS_KEY_ID = ""
env.AWS_SECRET_ACCESS_KEY = ""
env.AWS_SESSION_TOKEN = ""
roleArn = "arn:aws:iam::<13 character AWS ID>:role/my-custom-role"
externalParam = "--external-id ABCDEFG" // security parameter - optional
json = sh(returnStdout: true,
script: "aws sts assume-role --duration-seconds 3600 --role-arn ${roleARN} --role-session-name rsn ${externalParam}"
def jsonSlurper = new groovy.json.JsonSlurperClassic()
def object = jsonSlurper.parseText(json)
return object.Credentials
Important points
external-id support required
credentials must be acquired on the correct instance
