Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55401

aws-parameter-store IAM integration limitations

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • aws-parameter-store plugin v1.2.1
      Jenkins 2.154

      I started to use the aws-parameter-store plugin v1.2.1.

      My setup is Jenkins 2.154 on Kubernetes with github multi-branch/organization/pipeline plugins.

      I found out that:

      • the plugin does not work with the slave pod IAM role (IAM instance role)
      • the plugin only works with the AWS credentials stored in the Global domain - not from the job organisation domain.
      • the plugin only works with the IAM user AWS credentials, not with a role
      • the plugin fails silently if the IAM permission is not working
      • the plugin fails silently if the parameter path does not exist

      Would it be possible to enhance the usability of this plugin and make it fail when there are setup issues ?

          [JENKINS-55401] aws-parameter-store IAM integration limitations

          Rik Turnbull added a comment -

          Thanks for the feedback. It should work under Kubernetes and with an IAM Role - I have it running regularly as an ECS Task. The credentials are fetched using the aws-credentials-plugin.

          It's true that it only works with  global credentials - I'll investigate adding other credential stores.

          Yes it fails silently - in some cases lack of permissions might not be an error - for example fetching by path when your role only has access to particular parameters. Failing the build may be overkill (unless I add a flag) but I should find a way to print a message in the console.

           

          Rik Turnbull added a comment - Thanks for the feedback. It should work under Kubernetes and with an IAM Role - I have it running regularly as an ECS Task. The credentials are fetched using the aws-credentials-plugin. It's true that it only works with  global credentials - I'll investigate adding other credential stores. Yes it fails silently - in some cases lack of permissions might not be an error - for example fetching by path when your role only has access to particular parameters. Failing the build may be overkill (unless I add a flag) but I should find a way to print a message in the console.  

            rikturnbull Rik Turnbull
            arthurc Arthur Clément
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: