Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50754

"ERROR: Could not find credentials matching (rolename)" when using AWS role

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      My pipeline looks like this:

      pipeline {
       agent {
       docker { 
       image '<id>.dkr.ecr.us-west-2.amazonaws.com/<company>/cicd-debian-worker:v0.0.2'
       label '<mylabel>'
       registryUrl 'https://<id>.dkr.ecr.us-west-2.amazonaws.com/'
       registryCredentialsId 'JENKINS_SLAVE_AWS_ROLE'
       }
      }
      ...

      I have also set an AWS credential for which I set the ARN to the role ARN I'm interested in into the global namespace in the credentials store.

      When I run my pipeline, it fails with:

      ERROR: Could not find credentials matching JENKINS_SLAVE_AWS_ROLE

      I'm 100% sure the credential exists with that name.

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Just to clarify, does this ID represent the "AWS Credentials" type? If yes, the plugin won't be able to use them. Only "Docker Registry Token" credentials type is supported by the plugin according to the code, all other credentials will be ignored. https://github.com/jenkinsci/docker-commons-plugin/blob/e00c616a847630fccf637e891000813a7b441ceb/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/DockerRegistryEndpoint.java#L184-L186

          The error message could be improved for sure. It could indicate the required type/domain at least

          Show
          oleg_nenashev Oleg Nenashev added a comment - Just to clarify, does this ID represent the "AWS Credentials" type? If yes, the plugin won't be able to use them. Only "Docker Registry Token" credentials type is supported by the plugin according to the code, all other credentials will be ignored. https://github.com/jenkinsci/docker-commons-plugin/blob/e00c616a847630fccf637e891000813a7b441ceb/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/DockerRegistryEndpoint.java#L184-L186 The error message could be improved for sure. It could indicate the required type/domain at least
          Hide
          jglick Jesse Glick added a comment -

          Wrong component.

          Show
          jglick Jesse Glick added a comment - Wrong component.
          Hide
          btgrant Brian Grant added a comment -

          I'm wondering about the status of this issue. I think I'm trying to something very similar to Jon B – use an image from ECR as the main agent in my pipeline. I recently read  a blog post describing how to get this all set up, but when I think I have it set up properly following the guide, I get the same ERROR message about not being able to find matching credentials.

          This issue is reasonably old and the blog post is from just a few months ago so I'm wondering if we might be running an older version of some component prior to a fix being introduced. I don't have direct access to our Jenkins installation, but I do have direct access to someone who'd be able to answer questions about versions if this has already been fixed.

          Show
          btgrant Brian Grant added a comment - I'm wondering about the status of this issue. I think I'm trying to something very similar to Jon B – use an image from ECR as the main agent in my pipeline. I recently read   a blog post describing how to get this all set up , but when I think I have it set up properly following the guide, I get the same ERROR message about not being able to find matching credentials. This issue is reasonably old and the blog post is from just a few months ago so I'm wondering if we might be running an older version of some component prior to a fix being introduced. I don't have direct access to our Jenkins installation, but I do have direct access to someone who'd be able to answer questions about versions if this has already been fixed.
          Hide
          piratejohnny Jon B added a comment -

          Since I first posted about this, our company upgraded to CloudBees Jenkins Enterprise where the whole Jenkins CI system runs on Kubernetes and we also use kube2iam to assign AWS roles to pods.

          Show
          piratejohnny Jon B added a comment - Since I first posted about this, our company upgraded to CloudBees Jenkins Enterprise where the whole Jenkins CI system runs on Kubernetes and we also use kube2iam to assign AWS roles to pods.
          Hide
          btgrant Brian Grant added a comment -

          Jon B, that's useful information. I'm pretty sure we're also on CloudBees Jenkins Enterprise, but I don't know if we're running Jenkins CI on Kubernetes or not. In any case, it sounds like the change in approach has allowed you to work around this same ERROR and you're successfully able to use Docker-based agents out of ECR.

          If I've misunderstood, please let me know.

          Show
          btgrant Brian Grant added a comment - Jon B , that's useful information. I'm pretty sure we're also on CloudBees Jenkins Enterprise, but I don't know if we're running Jenkins CI on Kubernetes or not. In any case, it sounds like the change in approach has allowed you to work around this same ERROR and you're successfully able to use Docker-based agents out of ECR. If I've misunderstood, please let me know.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            piratejohnny Jon B
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: