Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32475

Enable plugin execution to use slave AWS credentials using Callable interface

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: aws-lambda-plugin
    • Labels:
      None
    • Environment:
      aws lambda plugin: 0.3.4
    • Similar Issues:

      Description

      When using "use instance credentials" I get the following exception:
      ===========================
      Starting lambda deployment procedure
      Copying zip file
      File Name: awslambda-942813613263363530.zip
      Absolute Path: /tmp/awslambda-942813613263363530.zip
      File Size: 10388
      Lambda function existence check:

      {FunctionName: alex_test,}

      Lambda function does not exist
      Lambda create function request:
      {FunctionName: alex_test,Runtime: python2.7,Role: arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest,Handler: lambda_handler,Code:

      {ZipFile: java.nio.HeapByteBuffer[pos=0 lim=10388 cap=10388],}

      ,Description: Hipchat PR Digest,Timeout: 60,MemorySize: 256,Publish: true}

      com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166)
      at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1239)
      at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:823)
      at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:506)
      at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:318)
      at com.amazonaws.services.lambda.AWSLambdaClient.invoke(AWSLambdaClient.java:1925)
      at com.amazonaws.services.lambda.AWSLambdaClient.createFunction(AWSLambdaClient.java:686)
      at com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.createLambdaFunction(LambdaDeployService.java:162)
      at com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.deployLambda(LambdaDeployService.java:82)
      at com.xti.jenkins.plugin.awslambda.upload.LambdaUploader.upload(LambdaUploader.java:51)
      at com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:81)
      at com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:66)
      at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785)
      at hudson.model.Build$BuildExecution.build(Build.java:205)
      at hudson.model.Build$BuildExecution.doRun(Build.java:162)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
      at hudson.model.Run.execute(Run.java:1741)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:98)
      at hudson.model.Executor.run(Executor.java:408)

      Build step 'AWS Lambda deployment' changed build result to FAILURE
      Finished: FAILURE
      ===========================

      The jenkins node that is running that this job has all the credentials it needs to talk to lambda.
      For instance, I can create a function via the AWS CLI:

      1. aws lambda create-function --function-name alex-foo --runtime python2.7 --role arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest --handler lambda_handler --region us-west-2 --zip-file fileb://foo.zip
        {
        "FunctionName": "alex-foo",
        "CodeSize": 170,
        "MemorySize": 128,
        "FunctionArn": "arn:aws:lambda:us-west-2:763429161784:function:alex-foo",
        "Handler": "lambda_handler",
        "Role": "arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest",
        "Timeout": 3,
        "LastModified": "2016-01-15T14:44:20.353+0000",
        "Runtime": "python2.7",
        "Description": ""
        }

      The IAM policy on the instance has full lambda and iam:PassRole (This role also has a trust relationship with another account, which may play a role in this error):
      {
      "Version": "2012-10-17",
      "Statement": [

      { "Sid": "Stmt1452706481000", "Effect": "Allow", "Action": [ "lambda:*" ], "Resource": [ "*" ] }

      ,

      { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ] }

      ]
      }

        Attachments

          Activity

          Hide
          cast Michael Willemse added a comment -

          Hi Alex,

          Do you have feedback on this ticket? I changed it to "new feature" type since it wasn't a bug and is implemented by supporting distributed jobs.

          Show
          cast Michael Willemse added a comment - Hi Alex, Do you have feedback on this ticket? I changed it to "new feature" type since it wasn't a bug and is implemented by supporting distributed jobs.
          Hide
          grayaii Alex Gray added a comment -

          I am testing this right now. I will let you know in ~1 hour. Thank you so much.

          Show
          grayaii Alex Gray added a comment - I am testing this right now. I will let you know in ~1 hour. Thank you so much.
          Hide
          grayaii Alex Gray added a comment -

          Fricken awesome! It works like a champ! Thank you so much!

          Show
          grayaii Alex Gray added a comment - Fricken awesome! It works like a champ! Thank you so much!
          Hide
          cast Michael Willemse added a comment -

          Hi Alex, awesome to hear. I highly appreciate your bug log and pinpointing of the issue.

          I'll close the ticket.

          Show
          cast Michael Willemse added a comment - Hi Alex, awesome to hear. I highly appreciate your bug log and pinpointing of the issue. I'll close the ticket.
          Hide
          cast Michael Willemse added a comment -

          Distributed build support available from version 0.4.0

          Show
          cast Michael Willemse added a comment - Distributed build support available from version 0.4.0

            People

            Assignee:
            cast Michael Willemse
            Reporter:
            grayaii Alex Gray
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: