Deploying Jenkins via Helm chart, and configuring with Configuration as code.
Jenkins Master has a service Account created, which is annotated to point to a Role.
Jenkins Agent has a Service Account Created, which is also annotated to a role.
I can see that the Jenkins Master role, is not getting called, so this is almost certainly where the problem is.
Sample Job Im testing with
- name: aws
sh "aws s3 ls s3:
sh "echo test > test.txt"
sh "echo test > test2.txt"
sh "aws s3 cp test2.txt s3:
archiveArtifacts artifacts: 'test.txt', followSymlinks: false
} The result
+ aws s3 cp test2.txt s3:Completed 5 Bytes/5 Bytes (33 Bytes/s) with 1 file(s) remaining
upload: ./test2.txt to s3:
ERROR: Failed to upload /home/jenkins/agent/workspace/test/test.txt to https:<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>ES9A612YHZRSHJ30</RequestId><HostId>xChB27LSJU1YG66XDMiU7wuLKPM1j30nVZaj+ce3p9g2iYZjqAaShTDub/L8NTYfjPFHfjSxCgo=</HostId></Error>
So you can see the agent has access via its role, the Archive step, fails, because I assume its getting ran from the Master.
In k8s, I can see that the maser pod, has a service account defined, and it is getting the AWS role information injected into it.
- name: AWS_DEFAULT_REGION
- name: AWS_REGION
- name: AWS_ROLE_ARN
- name: AWS_WEB_IDENTITY_TOKEN_FILE
This leads me to think, that the AWS plugins, is somehow attempting to use the Instance Profile, not the Service Accounts role.