Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54898

ECS Plugin 1.18 cannot launch slaves


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • amazon-ecs-plugin
    • None
    • Jenkins 2.138.2
      amazon-ecs 1.18
    • v1.19

      After upgrading from v1.16 to 1.18 of the ECS plugin, no ECS slaves were able to be launched.

      We are using EC2 as the launch type (not fargate).

      The error message in the log is as follows:

      [digital-ci-devops-zv5qp]: Error in provisioning; agent=com.cloudbees.jenkins.plugins.amazonecs.ECSSlave[digital-ci-devops-zv5qp]
      com.amazonaws.services.ecs.model.AccessDeniedException: User: arn:aws:sts::[******]:assumed-role/[******] is not authorized to perform: iam:PassRole on resource: arn:aws:iam::[******]:role/ecsTaskExecutionRole (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: [******])
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1658)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1322)

      I was able to fix the problem by going into the build slave configuration and changing the field "Task Execution Role ARN" from the default value of "ecsTaskExecutionRole" to "" (empty string).

      However, if an admin opens the jenkins system config, all the build slave configs (20+) will have the "Task Execution Role ARN" field reset back to their default value. If the config is saved, the problem will reoccur

      What I believe is happening is that on v1.18, the plugin is incorrectly applying the task execution role to EC2 launch type slaves (should only be applied to fargate launch type).

      Reverting the plugin back to v1.16 resolved the problem.

            pgarbe Philipp Garbe
            ajcarter Aidan Carter
            2 Vote for this issue
            6 Start watching this issue