Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32438

aws lambda should take env vars as AWS creds

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: aws-lambda-plugin
    • Labels:
      None
    • Environment:
      aws lambda plugin: 0.3.4
    • Similar Issues:

      Description

      We use global masked passwords: https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin

      It would be great if the lambda plugin would accept environment variables for AWS Access Key Id and AWS Secret Key.

        Attachments

          Activity

          Hide
          cast Michael Willemse added a comment -

          If you enable the "use instance credentials" the plugin uses the DefaultAwsCredentialsProviderChain. This should use the default environment variables as well. Apart from that you can use Jenkins environment variables as well, they are expanded by the plugin.

          Show
          cast Michael Willemse added a comment - If you enable the "use instance credentials" the plugin uses the DefaultAwsCredentialsProviderChain. This should use the default environment variables as well. Apart from that you can use Jenkins environment variables as well, they are expanded by the plugin.
          Hide
          grayaii Alex Gray added a comment -

          Unfortunately when we click "use instance credentials" we get an exception thrown when we run the job:
          ...
          com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: 645e6ad8-ba1f-11e5-b817-1f92f1beb5f9)
          ...
          I put these comments in https://wiki.jenkins-ci.org/display/JENKINS/AWS+Lambda+Plugin page, but I should probably create a Jira ticket to track this. DefaultAwsCredentialsProviderChain should work just fine when passing to the constructor of AWSLambdaClient (which I see it is).

          I think it's an issue with AWS more than anything else (or the java SDK), since if we use the AWS CLI on that slave, everything works, so it's definitely not a permissions issue. I'm going to bump the version of the SDK from 1.10.35 to 1.10.46 in the pom.xml to see if that fixes that.

          On a side note, I don't think the secret key entry is expanding the the environment variable. That's the first thing I tried and I got permissions issues.

          Show
          grayaii Alex Gray added a comment - Unfortunately when we click "use instance credentials" we get an exception thrown when we run the job: ... com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: 645e6ad8-ba1f-11e5-b817-1f92f1beb5f9) ... I put these comments in https://wiki.jenkins-ci.org/display/JENKINS/AWS+Lambda+Plugin page, but I should probably create a Jira ticket to track this. DefaultAwsCredentialsProviderChain should work just fine when passing to the constructor of AWSLambdaClient (which I see it is). I think it's an issue with AWS more than anything else (or the java SDK), since if we use the AWS CLI on that slave, everything works, so it's definitely not a permissions issue. I'm going to bump the version of the SDK from 1.10.35 to 1.10.46 in the pom.xml to see if that fixes that. On a side note, I don't think the secret key entry is expanding the the environment variable. That's the first thing I tried and I got permissions issues.
          Hide
          cast Michael Willemse added a comment -

          Will try to reproduce both issues the following days and make tickets if needed:

          credentials in aws environment variables
          secretkey expansion

          Show
          cast Michael Willemse added a comment - Will try to reproduce both issues the following days and make tickets if needed: credentials in aws environment variables secretkey expansion
          Hide
          grayaii Alex Gray added a comment -

          For what it's worth, i re-compiled the plugin with 1.10.46 version of the AWS SDK and I still get that "Cross-account pass role is not allowed". I will create an AWS ticket to see what they say about that.
          I'm not a java guy, but I put system.out.println all over the place to debug the "env vars not getting expanded for access/secret key", but the output does not get displayed anywhere. I wish I knew more about plugin development to help out more

          Show
          grayaii Alex Gray added a comment - For what it's worth, i re-compiled the plugin with 1.10.46 version of the AWS SDK and I still get that "Cross-account pass role is not allowed". I will create an AWS ticket to see what they say about that. I'm not a java guy, but I put system.out.println all over the place to debug the "env vars not getting expanded for access/secret key", but the output does not get displayed anywhere. I wish I knew more about plugin development to help out more
          Hide
          grayaii Alex Gray added a comment -

          One more thought that came to me: Is the "use instance credentials" using the credentials from the Jenkins Master or the Slave? I assume the Slave (the node that is running the job), and not the Master, but I just want to double check.

          Show
          grayaii Alex Gray added a comment - One more thought that came to me: Is the "use instance credentials" using the credentials from the Jenkins Master or the Slave? I assume the Slave (the node that is running the job), and not the Master, but I just want to double check.
          Hide
          grayaii Alex Gray added a comment -

          As you suggest, I will create another ticket for the issue with "use instance credentials".
          If you could tweak src/main/java/com/xti/jenkins/plugin/awslambda/util/LambdaClientConfig.java to print out the values accessKeyId, secretKey I would be more than happy to test this out for you.

          Show
          grayaii Alex Gray added a comment - As you suggest, I will create another ticket for the issue with "use instance credentials". If you could tweak src/main/java/com/xti/jenkins/plugin/awslambda/util/LambdaClientConfig.java to print out the values accessKeyId, secretKey I would be more than happy to test this out for you.
          Hide
          grayaii Alex Gray added a comment -

          I was able to enter env vars successfully and verified it works.
          Sorry for any work this may have caused you.

          Show
          grayaii Alex Gray added a comment - I was able to enter env vars successfully and verified it works. Sorry for any work this may have caused you.

            People

            Assignee:
            cast Michael Willemse
            Reporter:
            grayaii Alex Gray
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: