Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50754

"ERROR: Could not find credentials matching (rolename)" when using AWS role

XMLWordPrintable

      My pipeline looks like this:

      pipeline {
 agent {
 docker { 
 image '<id>.dkr.ecr.us-west-2.amazonaws.com/<company>/cicd-debian-worker:v0.0.2'
 label '<mylabel>'
 registryUrl 'https://<id>.dkr.ecr.us-west-2.amazonaws.com/'
 registryCredentialsId 'JENKINS_SLAVE_AWS_ROLE'
 }
}
...

      I have also set an AWS credential for which I set the ARN to the role ARN I'm interested in into the global namespace in the credentials store.

      When I run my pipeline, it fails with:

      ERROR: Could not find credentials matching JENKINS_SLAVE_AWS_ROLE

      I'm 100% sure the credential exists with that name.

          [JENKINS-50754] "ERROR: Could not find credentials matching (rolename)" when using AWS role

          Oleg Nenashev added a comment -

          Just to clarify, does this ID represent the "AWS Credentials" type? If yes, the plugin won't be able to use them. Only "Docker Registry Token" credentials type is supported by the plugin according to the code, all other credentials will be ignored. https://github.com/jenkinsci/docker-commons-plugin/blob/e00c616a847630fccf637e891000813a7b441ceb/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/DockerRegistryEndpoint.java#L184-L186

          The error message could be improved for sure. It could indicate the required type/domain at least

          Oleg Nenashev added a comment - Just to clarify, does this ID represent the "AWS Credentials" type? If yes, the plugin won't be able to use them. Only "Docker Registry Token" credentials type is supported by the plugin according to the code, all other credentials will be ignored. https://github.com/jenkinsci/docker-commons-plugin/blob/e00c616a847630fccf637e891000813a7b441ceb/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/DockerRegistryEndpoint.java#L184-L186 The error message could be improved for sure. It could indicate the required type/domain at least

          Jesse Glick added a comment -

          Wrong component.

          Jesse Glick added a comment - Wrong component.

          Brian Grant added a comment -

          I'm wondering about the status of this issue. I think I'm trying to something very similar to piratejohnny – use an image from ECR as the main agent in my pipeline. I recently read  a blog post describing how to get this all set up, but when I think I have it set up properly following the guide, I get the same ERROR message about not being able to find matching credentials.

          This issue is reasonably old and the blog post is from just a few months ago so I'm wondering if we might be running an older version of some component prior to a fix being introduced. I don't have direct access to our Jenkins installation, but I do have direct access to someone who'd be able to answer questions about versions if this has already been fixed.

          Brian Grant added a comment - I'm wondering about the status of this issue. I think I'm trying to something very similar to piratejohnny – use an image from ECR as the main agent in my pipeline. I recently read   a blog post describing how to get this all set up , but when I think I have it set up properly following the guide, I get the same ERROR message about not being able to find matching credentials. This issue is reasonably old and the blog post is from just a few months ago so I'm wondering if we might be running an older version of some component prior to a fix being introduced. I don't have direct access to our Jenkins installation, but I do have direct access to someone who'd be able to answer questions about versions if this has already been fixed.

          Jon B added a comment -

          Since I first posted about this, our company upgraded to CloudBees Jenkins Enterprise where the whole Jenkins CI system runs on Kubernetes and we also use kube2iam to assign AWS roles to pods.

          Jon B added a comment - Since I first posted about this, our company upgraded to CloudBees Jenkins Enterprise where the whole Jenkins CI system runs on Kubernetes and we also use kube2iam to assign AWS roles to pods.

          Brian Grant added a comment -

          piratejohnny, that's useful information. I'm pretty sure we're also on CloudBees Jenkins Enterprise, but I don't know if we're running Jenkins CI on Kubernetes or not. In any case, it sounds like the change in approach has allowed you to work around this same ERROR and you're successfully able to use Docker-based agents out of ECR.

          If I've misunderstood, please let me know.

          Brian Grant added a comment - piratejohnny , that's useful information. I'm pretty sure we're also on CloudBees Jenkins Enterprise, but I don't know if we're running Jenkins CI on Kubernetes or not. In any case, it sounds like the change in approach has allowed you to work around this same ERROR and you're successfully able to use Docker-based agents out of ECR. If I've misunderstood, please let me know.

            Unassigned Unassigned
            piratejohnny Jon B
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: