Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65434

aws-java-sdk 1.11.995 plugin update breaks IRSA functionality in the configuration-as-code-secret-ssm-plugin

      The latest version of the aws-java-sdk plugin (aws-java-sdk:1.11.995)breaks the IRSA functionality of the configuration-as-code-secret-ssm-plugin.  When deploying a fresh Jenkins instance, instead of using the mounted web identity token from IRSA to retrieve the SSM parameter value, the configuration-as-code-secret-ssm-plugin uses the node role instead.  Because the node role doesn't have access to the credential in SSM, this causes an error on bootup. (full stack trace listed below) 

       

      This issue can be bypassed by pinning the aws-java-sdk plugin to the current-1 version (aws-java-sdk:1.11.976).  When using the older version of the aws-java-sdk plugin, the configuration-as-code-secret-ssm-plugin correctly uses IRSA to retrieve the SSM parameter instead of the EKS node role.

       

      2021-04-22 14:04:11.367+0000 [id=34]    SEVERE    c.b.j.p.c.s.s.AwsSsmSecretSource#reveal: Error getting ssm secret: /jenkins/google/client_secret
      com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/cluster-node-role-xxxxxxxxxxxx/x-xxxxxxxxxx
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
          at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
          at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
          at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8219)
          at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8186)
          at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8175)
          at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParameter(AWSSimpleSystemsManagementClient.java:4952)
          at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParameter(AWSSimpleSystemsManagementClient.java:4924)
          at com.bambora.jenkins.plugin.casc.secrets.ssm.AwsSsmSecretSource.reveal(AwsSsmSecretSource.java:35)
          at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$ad236547$1(SecretSourceResolver.java:136)
          at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
          at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$0(SecretSourceResolver.java:136)
          at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
          at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
          at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
          at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
          at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
          at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
          at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
          at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
          at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:531)
          at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lookup(SecretSourceResolver.java:138)
          at org.apache.commons.text.lookup.InterpolatorStringLookup.lookup(InterpolatorStringLookup.java:144)
          at org.apache.commons.text.StringSubstitutor.resolveVariable(StringSubstitutor.java:1067)
          at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1433)
          at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1308)
          at org.apache.commons.text.StringSubstitutor.replaceIn(StringSubstitutor.java:1019)
          at io.jenkins.plugins.casc.SecretSourceResolver.resolve(SecretSourceResolver.java:104)
          at io.jenkins.plugins.casc.impl.configurators.PrimitiveConfigurator.configure(PrimitiveConfigurator.java:44)
          at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:160)
          at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:77)
          at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
          at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:83)
          at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
          at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
          at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
          at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$2(HeteroDescribableConfigurator.java:86)
          at io.vavr.control.Option.map(Option.java:392)
          at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
          at io.vavr.Tuple2.apply(Tuple2.java:238)
          at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
          at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:55)
          at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:352)
          at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:270)
          at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$configureWith$6(ConfigurationAsCode.java:745)
          at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:689)
          at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:745)
          at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
          at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
          at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:498)
          at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
          at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
          at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
          at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
          at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
          at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
          at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
          at java.lang.Thread.run(Thread.java:748)
      

          [JENKINS-65434] aws-java-sdk 1.11.995 plugin update breaks IRSA functionality in the configuration-as-code-secret-ssm-plugin

          Jon Tancer created issue -
          Jon Tancer made changes -
          Description Original: The latest version of the `aws-java-sdk` plugin (`aws-java-sdk:1.11.995`)breaks the IRSA functionality of the `configuration-as-code-secret-ssm-plugin`.  When deploying a fresh Jenkins instance, instead of using the mounted web identity token to retrieve the SSM parameter value, the `configuration-as-code-secret-ssm-plugin` uses the node role instead.  Because the node role doesn't have access to the credential in SSM, this causes an error on bootup. (full stack trace listed below) 

           

          This issue can be bypassed by pinning the `aws-java-sdk` plugin to the current-1 version (`aws-java-sdk:1.11.976`).  When using the older version of the `aws-java-sdk` plugin, the `configuration-as-code-secret-ssm-plugin` correctly uses IRSA to retrieve the SSM parameter instead of the EKS node role.

           
          {code:java}
          2021-04-22 14:04:11.367+0000 [id=34] SEVERE c.b.j.p.c.s.s.AwsSsmSecretSource#reveal: Error getting ssm secret: /jenkins/google/client_secret
          com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/cluster-node-role-xxxxxxxxxxxx/x-xxxxxxxxxx
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
              at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8219)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8186)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8175)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParameter(AWSSimpleSystemsManagementClient.java:4952)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParameter(AWSSimpleSystemsManagementClient.java:4924)
              at com.bambora.jenkins.plugin.casc.secrets.ssm.AwsSsmSecretSource.reveal(AwsSsmSecretSource.java:35)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$ad236547$1(SecretSourceResolver.java:136)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$0(SecretSourceResolver.java:136)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
              at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
              at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
              at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:531)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lookup(SecretSourceResolver.java:138)
              at org.apache.commons.text.lookup.InterpolatorStringLookup.lookup(InterpolatorStringLookup.java:144)
              at org.apache.commons.text.StringSubstitutor.resolveVariable(StringSubstitutor.java:1067)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1433)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1308)
              at org.apache.commons.text.StringSubstitutor.replaceIn(StringSubstitutor.java:1019)
              at io.jenkins.plugins.casc.SecretSourceResolver.resolve(SecretSourceResolver.java:104)
              at io.jenkins.plugins.casc.impl.configurators.PrimitiveConfigurator.configure(PrimitiveConfigurator.java:44)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:160)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:77)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$2(HeteroDescribableConfigurator.java:86)
              at io.vavr.control.Option.map(Option.java:392)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
              at io.vavr.Tuple2.apply(Tuple2.java:238)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:55)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:352)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:270)
              at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$configureWith$6(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:689)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
              at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
              at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
              at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
              at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
              at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
              at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
              at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
          {code}
          New: The latest version of the {{aws-java-sdk}} plugin (`aws-java-sdk:1.11.995`)breaks the IRSA functionality of the `configuration-as-code-secret-ssm-plugin`.  When deploying a fresh Jenkins instance, instead of using the mounted web identity token to retrieve the SSM parameter value, the `configuration-as-code-secret-ssm-plugin` uses the node role instead.  Because the node role doesn't have access to the credential in SSM, this causes an error on bootup. (full stack trace listed below) 

           

          This issue can be bypassed by pinning the `aws-java-sdk` plugin to the current-1 version (`aws-java-sdk:1.11.976`).  When using the older version of the `aws-java-sdk` plugin, the `configuration-as-code-secret-ssm-plugin` correctly uses IRSA to retrieve the SSM parameter instead of the EKS node role.

           
          {code:java}
          2021-04-22 14:04:11.367+0000 [id=34] SEVERE c.b.j.p.c.s.s.AwsSsmSecretSource#reveal: Error getting ssm secret: /jenkins/google/client_secret
          com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/cluster-node-role-xxxxxxxxxxxx/x-xxxxxxxxxx
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
              at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8219)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8186)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8175)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParameter(AWSSimpleSystemsManagementClient.java:4952)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParameter(AWSSimpleSystemsManagementClient.java:4924)
              at com.bambora.jenkins.plugin.casc.secrets.ssm.AwsSsmSecretSource.reveal(AwsSsmSecretSource.java:35)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$ad236547$1(SecretSourceResolver.java:136)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$0(SecretSourceResolver.java:136)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
              at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
              at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
              at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:531)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lookup(SecretSourceResolver.java:138)
              at org.apache.commons.text.lookup.InterpolatorStringLookup.lookup(InterpolatorStringLookup.java:144)
              at org.apache.commons.text.StringSubstitutor.resolveVariable(StringSubstitutor.java:1067)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1433)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1308)
              at org.apache.commons.text.StringSubstitutor.replaceIn(StringSubstitutor.java:1019)
              at io.jenkins.plugins.casc.SecretSourceResolver.resolve(SecretSourceResolver.java:104)
              at io.jenkins.plugins.casc.impl.configurators.PrimitiveConfigurator.configure(PrimitiveConfigurator.java:44)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:160)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:77)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$2(HeteroDescribableConfigurator.java:86)
              at io.vavr.control.Option.map(Option.java:392)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
              at io.vavr.Tuple2.apply(Tuple2.java:238)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:55)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:352)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:270)
              at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$configureWith$6(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:689)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
              at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
              at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
              at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
              at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
              at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
              at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
              at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
          {code}
          Jon Tancer made changes -
          Summary Original: aws-java-sdk 1.11.995 plugin update breaks IRSA functionality in configuration-as-code-secret-ssm-plugin New: aws-java-sdk 1.11.995 plugin update breaks IRSA functionality in the configuration-as-code-secret-ssm-plugin
          Jon Tancer made changes -
          Description Original: The latest version of the {{aws-java-sdk}} plugin (`aws-java-sdk:1.11.995`)breaks the IRSA functionality of the `configuration-as-code-secret-ssm-plugin`.  When deploying a fresh Jenkins instance, instead of using the mounted web identity token to retrieve the SSM parameter value, the `configuration-as-code-secret-ssm-plugin` uses the node role instead.  Because the node role doesn't have access to the credential in SSM, this causes an error on bootup. (full stack trace listed below) 

           

          This issue can be bypassed by pinning the `aws-java-sdk` plugin to the current-1 version (`aws-java-sdk:1.11.976`).  When using the older version of the `aws-java-sdk` plugin, the `configuration-as-code-secret-ssm-plugin` correctly uses IRSA to retrieve the SSM parameter instead of the EKS node role.

           
          {code:java}
          2021-04-22 14:04:11.367+0000 [id=34] SEVERE c.b.j.p.c.s.s.AwsSsmSecretSource#reveal: Error getting ssm secret: /jenkins/google/client_secret
          com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/cluster-node-role-xxxxxxxxxxxx/x-xxxxxxxxxx
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
              at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8219)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8186)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8175)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParameter(AWSSimpleSystemsManagementClient.java:4952)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParameter(AWSSimpleSystemsManagementClient.java:4924)
              at com.bambora.jenkins.plugin.casc.secrets.ssm.AwsSsmSecretSource.reveal(AwsSsmSecretSource.java:35)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$ad236547$1(SecretSourceResolver.java:136)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$0(SecretSourceResolver.java:136)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
              at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
              at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
              at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:531)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lookup(SecretSourceResolver.java:138)
              at org.apache.commons.text.lookup.InterpolatorStringLookup.lookup(InterpolatorStringLookup.java:144)
              at org.apache.commons.text.StringSubstitutor.resolveVariable(StringSubstitutor.java:1067)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1433)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1308)
              at org.apache.commons.text.StringSubstitutor.replaceIn(StringSubstitutor.java:1019)
              at io.jenkins.plugins.casc.SecretSourceResolver.resolve(SecretSourceResolver.java:104)
              at io.jenkins.plugins.casc.impl.configurators.PrimitiveConfigurator.configure(PrimitiveConfigurator.java:44)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:160)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:77)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$2(HeteroDescribableConfigurator.java:86)
              at io.vavr.control.Option.map(Option.java:392)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
              at io.vavr.Tuple2.apply(Tuple2.java:238)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:55)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:352)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:270)
              at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$configureWith$6(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:689)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
              at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
              at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
              at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
              at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
              at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
              at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
              at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
          {code}
          New: The latest version of the {{aws-java-sdk}} plugin ({{aws-java-sdk:1.11.995}})breaks the IRSA functionality of the {{configuration-as-code-secret-ssm-plugin}}.  When deploying a fresh Jenkins instance, instead of using the mounted web identity token from IRSA to retrieve the SSM parameter value, the {{configuration-as-code-secret-ssm-plugin}} uses the node role instead.  Because the node role doesn't have access to the credential in SSM, this causes an error on bootup. (full stack trace listed below) 

           

          This issue can be bypassed by pinning the {{aws-java-sdk}} plugin to the current-1 version ({{aws-java-sdk:1.11.976}}).  When using the older version of the {{aws-java-sdk}} plugin, the {{configuration-as-code-secret-ssm-plugin}} correctly uses IRSA to retrieve the SSM parameter instead of the EKS node role.

           
          {code:java}
          2021-04-22 14:04:11.367+0000 [id=34] SEVERE c.b.j.p.c.s.s.AwsSsmSecretSource#reveal: Error getting ssm secret: /jenkins/google/client_secret
          com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/cluster-node-role-xxxxxxxxxxxx/x-xxxxxxxxxx
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
              at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8219)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8186)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8175)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParameter(AWSSimpleSystemsManagementClient.java:4952)
              at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParameter(AWSSimpleSystemsManagementClient.java:4924)
              at com.bambora.jenkins.plugin.casc.secrets.ssm.AwsSsmSecretSource.reveal(AwsSsmSecretSource.java:35)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$ad236547$1(SecretSourceResolver.java:136)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lambda$lookup$0(SecretSourceResolver.java:136)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
              at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
              at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
              at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:531)
              at io.jenkins.plugins.casc.SecretSourceResolver$ConfigurationContextStringLookup.lookup(SecretSourceResolver.java:138)
              at org.apache.commons.text.lookup.InterpolatorStringLookup.lookup(InterpolatorStringLookup.java:144)
              at org.apache.commons.text.StringSubstitutor.resolveVariable(StringSubstitutor.java:1067)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1433)
              at org.apache.commons.text.StringSubstitutor.substitute(StringSubstitutor.java:1308)
              at org.apache.commons.text.StringSubstitutor.replaceIn(StringSubstitutor.java:1019)
              at io.jenkins.plugins.casc.SecretSourceResolver.resolve(SecretSourceResolver.java:104)
              at io.jenkins.plugins.casc.impl.configurators.PrimitiveConfigurator.configure(PrimitiveConfigurator.java:44)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.tryConstructor(DataBoundConfigurator.java:160)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.instance(DataBoundConfigurator.java:77)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:267)
              at io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.configure(DataBoundConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$doConfigure$16668e2$1(HeteroDescribableConfigurator.java:277)
              at io.vavr.CheckedFunction0.lambda$unchecked$52349c75$1(CheckedFunction0.java:247)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.doConfigure(HeteroDescribableConfigurator.java:277)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$2(HeteroDescribableConfigurator.java:86)
              at io.vavr.control.Option.map(Option.java:392)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.lambda$configure$3(HeteroDescribableConfigurator.java:86)
              at io.vavr.Tuple2.apply(Tuple2.java:238)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:83)
              at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:55)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:352)
              at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:270)
              at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$configureWith$6(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:689)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:745)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
              at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
              at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
              at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
              at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
              at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
              at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
              at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
              at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
          {code}

            vlatombe Vincent Latombe
            jtancer Jon Tancer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: