Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54886

ECS 1.18 plugin fails to launch slaves (not authorized to perform: iam:PassRole)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: amazon-ecs-plugin
    • Labels:
      None
    • Environment:
      Jenkins ver. 2.138.3
      amazon-ecs 1.18
    • Similar Issues:

      Description

      After upgrading to version 1.18 of the Jenkins ECS plugin, containers are no longer spawning on ECS.

      The error that is logged by Jenkins is as follows:

      com.amazonaws.services.ecs.model.AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/<redacted> is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<redacted> (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException;

      Downgrading to version 1.17 resolves the issue.

      Did the 1.18 update introduce any required changes to the IAM role?  If so, I do not see any such changes explicitly documented in the release notes.

       

      Other information

      My Jenkins master is also running in ECS inside the same cluster as the build containers.  My current IAM role is similar to the example role listed in the plugin's wiki page.

      https://wiki.jenkins.io/display/JENKINS/Amazon+EC2+Container+Service+Plugin

        Attachments

          Issue Links

            Activity

            jtancer Jon Tancer created issue -
            jtancer Jon Tancer made changes -
            Field Original Value New Value
            Description After upgrading to version 1.18 of the Jenkins ECS plugin, containers are no longer spawning on ECS.

            The error that is logged by Jenkins is
            {noformat}
            com.amazonaws.services.ecs.model.AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/<redacted> is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<redacted> (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException;{noformat}
            Downgrading to version 1.17 resolved the issue.


            Did the 1.18 update introduce any required changes to the IAM role?  If so, I do not see any such changes explicitly documented in the release notes.
            After upgrading to version 1.18 of the Jenkins ECS plugin, containers are no longer spawning on ECS.

            The error that is logged by Jenkins is as follows:
            {noformat}
            com.amazonaws.services.ecs.model.AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/<redacted> is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<redacted> (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException;{noformat}
            Downgrading to version 1.17 resolves the issue.

            Did the 1.18 update introduce any required changes to the IAM role?  If so, I do not see any such changes explicitly documented in the release notes.
            jtancer Jon Tancer made changes -
            Environment Jenkins ver. 2.138.3
            jtancer Jon Tancer made changes -
            Environment Jenkins ver. 2.138.3 Jenkins ver. 2.138.3
            amazon-ecs 1.18
            jtancer Jon Tancer made changes -
            Priority Minor [ 4 ] Major [ 3 ]
            jtancer Jon Tancer made changes -
            Description After upgrading to version 1.18 of the Jenkins ECS plugin, containers are no longer spawning on ECS.

            The error that is logged by Jenkins is as follows:
            {noformat}
            com.amazonaws.services.ecs.model.AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/<redacted> is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<redacted> (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException;{noformat}
            Downgrading to version 1.17 resolves the issue.

            Did the 1.18 update introduce any required changes to the IAM role?  If so, I do not see any such changes explicitly documented in the release notes.
            After upgrading to version 1.18 of the Jenkins ECS plugin, containers are no longer spawning on ECS.

            The error that is logged by Jenkins is as follows:
            {noformat}
            com.amazonaws.services.ecs.model.AccessDeniedException: User: arn:aws:sts::<redacted>:assumed-role/<redacted> is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<redacted> (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException;{noformat}
            Downgrading to version 1.17 resolves the issue.

            Did the 1.18 update introduce any required changes to the IAM role?  If so, I do not see any such changes explicitly documented in the release notes.

             

            Other information

            My Jenkins master is also running in ECS inside the same cluster as the build containers.  My current IAM role is similar to the example role listed in the plugin's wiki page.

            https://wiki.jenkins.io/display/JENKINS/Amazon+EC2+Container+Service+Plugin
            pgarbe Philipp Garbe made changes -
            Assignee Jan Roehrich [ roehrijn2 ] Philipp Garbe [ pgarbe ]
            Hide
            pgarbe Philipp Garbe added a comment -

            Closing this one, as JENKINS-54898 seems to be the same issue.

            Show
            pgarbe Philipp Garbe added a comment - Closing this one, as  JENKINS-54898 seems to be the same issue.
            pgarbe Philipp Garbe made changes -
            Link This issue duplicates JENKINS-54898 [ JENKINS-54898 ]
            pgarbe Philipp Garbe made changes -
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Closed [ 6 ]

              People

              Assignee:
              pgarbe Philipp Garbe
              Reporter:
              jtancer Jon Tancer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: