Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47463

ssh-agent does not load private key when job run with curl/API

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Incomplete
    • Icon: Blocker Blocker
    • build-token-root-plugin, credentials-plugin, ssh-agent-plugin, ssh-credentials-plugin
    • None

      Google Groups thread here: https://groups.google.com/d/msg/jenkinsci-users/AuDLsGDKQww/phHzmtxaAQAJ

      Long story short, Using a Parameter Expression + a Credentials Parameter to select which global credential to use in ssh-agent does not work when you start the job via the API/Curl.

      It works locally in the container, it works on the kubernetes master doing a manual job, it works when you build the job manually in the UI but when I try to use the API you get the following error:

      Building remotely on jenkins-slave-rn7w5 (jenkins-jenkins-slave) in workspace /home/jenkins/workspace/core-build
Running Prebuild steps
[core-build] $ /bin/bash -xe /tmp/jenkins3412092671259899558.sh
+ ssh-keyscan github.com
# github.com:22 SSH-2.0-libssh_0.7.0
# github.com:22 SSH-2.0-libssh_0.7.0
# github.com:22 SSH-2.0-libssh_0.7.0
+ ssh-keygen -lf githubKey
2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)
+ mkdir -p /home/jenkins/.ssh
+ cp githubKey /home/jenkins/.ssh/known_hosts
+ chmod 400 /home/jenkins/.ssh/known_hosts
+ cp -r /home/jenkins/.ssh /root/
Success build forhudson.tasks.Shell@4efa51a
FATAL: 
java.io.IOException: [ssh-agent] Could not find specified credentials
at com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper.preCheckout(SSHAgentBuildWrapper.java:209)
at jenkins.scm.SCMCheckoutStrategy.preCheckout(SCMCheckoutStrategy.java:76)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:490)
at hudson.model.Run.execute(Run.java:1724)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
FATAL: [ssh-agent] Could not find specified credentials
java.io.IOException: [ssh-agent] Could not find specified credentials
at com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper.preCheckout(SSHAgentBuildWrapper.java:209)
at jenkins.scm.SCMCheckoutStrategy.preCheckout(SCMCheckoutStrategy.java:76)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:490)
at hudson.model.Run.execute(Run.java:1724)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
Finished: FAILURE

      When you double check the build and check what parameters it was built with, the correct value is selected. I don't understand why this does not work.

          [JENKINS-47463] ssh-agent does not load private key when job run with curl/API

          Stephen Connolly added a comment -

          So the most likely root cause for this is that the trigger by API is not associating the triggering user correctly and hence the user cause cannot be correctly determined and it gets assumed to be anonymous or the resolved user cannot get permissions checked correctly and hence cannot be confirmed as having Item.BUILD or Item.CONFIGURE permissions.

          What you need to do is look at the build.xml for a job that worked and a job that didn't

          You are looking for the  CauseAction normally for an SCM trigger it will look something like:

            <actions>
    <hudson.model.CauseAction>
      <causes>
        <hudson.triggers.SCMTrigger_-SCMTriggerCause/>
      </causes>
    </hudson.model.CauseAction>

          (I don't have a user trigger example handy)

          If the cause is identical for both, then that deserves further examination.

          If the cause is different, then that difference and what causes it is where you need to start looking.

           

          Stephen Connolly added a comment - So the most likely root cause for this is that the trigger by API is not associating the triggering user correctly and hence the user cause cannot be correctly determined and it gets assumed to be anonymous or the resolved user cannot get permissions checked correctly and hence cannot be confirmed as having Item.BUILD or Item.CONFIGURE permissions. What you need to do is look at the build.xml for a job that worked and a job that didn't You are looking for the  CauseAction  normally for an SCM trigger it will look something like:   <actions>     <hudson.model.CauseAction>       <causes>         <hudson.triggers.SCMTrigger_-SCMTriggerCause/>       </causes>     </hudson.model.CauseAction> (I don't have a user trigger example handy) If the cause is identical for both, then that deserves further examination. If the cause is different, then that difference and what causes it is where you need to start looking.  

          Stephen Connolly added a comment -

          Marking incomplete until further information is available. Please re-open if you have supplied the additional information

          Stephen Connolly added a comment - Marking incomplete until further information is available. Please re-open if you have supplied the additional information

            Unassigned Unassigned
            jurgenweber jurgen weber
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: