Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66216

Cannot launch with an IAM Instance Profile

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: ec2-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      I'm trying to get my EC2 plugin to apply a IAM role to the agents it starts up. When I set the IAM Instance Profile with the ARN (arn:aws:iam::<my account id>:instance-profile/<my instance profile> it fails to create the instance. Be it on demand or manually. I'll put the log in the comments but it hasn't provided any insight as I can't see exactly what the AWS Java sdk is doing.

       

      This feature was introduced in JENKINS-17086

        Attachments

          Issue Links

            Activity

            Hide
            geoff Geoff Dunn added a comment -

            Log of error:

             

            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate getImage
            Getting image for request {ExecutableUsers: [],Filters: [],ImageIds: [ami-0e9385446265e3b17],Owners: []}
            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo
            SlaveTemplate{description='Windows Test Executor', labels='win32 _TestWin32 TestWin32'}. Considering launching
            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate setupRootDevice
            AMI had /dev/sda1
            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate setupRootDevice
            {DeleteOnTermination: true,SnapshotId: snap-07496dc218bddf918,VolumeSize: 150,VolumeType: gp2,Encrypted: false}
            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo
            SlaveTemplate{description='Windows Test Executor', labels='win32 _TestWin32 TestWin32'}. EBS default encryption value set to: Based on AMI (null)
            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo
            SlaveTemplate{description='Windows Test Executor', labels='win32 _TestWin32 TestWin32'}. Setting Instance Initiated Shutdown Behavior : ShutdownBehavior.Terminate
            Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo
            SlaveTemplate{description='Windows Test Executor', labels='win32 _TestWin32 TestWin32'}. Looking for existing instances with describe-instance: {Filters: [{Name: image-id,Values: [ami-0e9385446265e3b17]}, {Name: instance-type,Values: [m5.2xlarge]}, {Name: key-name,Values: [key-jenkins1-server]}, {Name: tenancy,Values: [default]}, {Name: subnet-id,Values: [subnet-01aafee5250a28627]}, {Name: tag:Name,Values: [Jenkins 1 Agent]}, {Name: tag:jenkins_server_url,Values: [https://mydomain/]}, {Name: tag:Creator,Values: [Jenkins 1]}, {Name: tag:jenkins_slave_type,Values: [demand_Windows Test Executor]}],InstanceIds: [],}
            Jul 26, 2021 8:36:59 AM WARNING hudson.init.impl.InstallUncaughtExceptionHandler handleException
            Caught unhandled exception with ID 87d82880-6169-4f03-8e1f-d65c62bc0d54
            com.amazonaws.services.ec2.model.AmazonEC2Exception: You are not authorized to perform this operation. Encoded authorization failure message: TLf_BHeqxxVMdzzoKHh8YeO8DCGFdkxITkuLZFFjp2s2S36HiHOe6EFoMN3-ykhREmJqibsaDF2fFu7CA-CcOjnZ_S-MLqBgpO3embCE4HIfZwtMI5hF4FsIEgB_uYv3yxNEmCvYi3bYy03fOeIhif6Qtr5FTBPOiJs8bgodY1LD_RIE9KhI5QaVKwF_0MKW8_NWtdvHq9lrWsfkbOMgsexxr7kgSydLS0Xz6sMBGiIR6KTXwz2Ksa1KejGaPzz3_Satn-h42lru9UH21IOSGHwuu_m6ENAsmtMUKjPCWFrKruQKmBg6JEfFVk4AtB9IC-z5TE0i_D_boOQHZX28j8Lt_4QSLm3jDTezSc5XdrPzr_SM9euPjxCqvORCSBYarZJCcGm2Ti7t7hJNKLdtVQwiZJqOBUre2hv3LGWJc4Wt6YScdUENuyqjuogb16F9P_qLDpIvC5QHM25MTLaYKRSblq072-JlqX7nAfq-YF_abBORWGfEYpszEed-_KLhIp7P_mcC860Eb01uQcQmlafKRDA-gb7eR3zhqELVbxOSxWLM1OykJsaYJT_chg (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: 1924361f-0f02-41ba-a9d0-912f23511587; Proxy: null)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
            	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
            	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
            	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
            	at com.amazonaws.services.ec2.AmazonEC2Client.doInvoke(AmazonEC2Client.java:29240)
            	at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:29207)
            	at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:29196)
            	at com.amazonaws.services.ec2.AmazonEC2Client.executeRunInstances(AmazonEC2Client.java:28011)
            	at com.amazonaws.services.ec2.AmazonEC2Client.runInstances(AmazonEC2Client.java:27980)
            	at hudson.plugins.ec2.SlaveTemplate.provisionOndemand(SlaveTemplate.java:1085)
            	at hudson.plugins.ec2.SlaveTemplate.provisionOndemand(SlaveTemplate.java:1027)
            	at hudson.plugins.ec2.SlaveTemplate.provision(SlaveTemplate.java:840)
            	at hudson.plugins.ec2.EC2Cloud.getNewOrExistingAvailableSlave(EC2Cloud.java:714)
            	at hudson.plugins.ec2.EC2Cloud.doProvision(EC2Cloud.java:451)
            	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
            	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
            	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
            	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
            	at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
            	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
            	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
            	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
            	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:
            ...etc...
            
            Show
            geoff Geoff Dunn added a comment - Log of error:   Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate getImage Getting image for request {ExecutableUsers: [],Filters: [],ImageIds: [ami-0e9385446265e3b17],Owners: []} Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo SlaveTemplate{description= 'Windows Test Executor' , labels= 'win32 _TestWin32 TestWin32' }. Considering launching Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate setupRootDevice AMI had /dev/sda1 Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate setupRootDevice {DeleteOnTermination: true ,SnapshotId: snap-07496dc218bddf918,VolumeSize: 150,VolumeType: gp2,Encrypted: false } Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo SlaveTemplate{description= 'Windows Test Executor' , labels= 'win32 _TestWin32 TestWin32' }. EBS default encryption value set to: Based on AMI ( null ) Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo SlaveTemplate{description= 'Windows Test Executor' , labels= 'win32 _TestWin32 TestWin32' }. Setting Instance Initiated Shutdown Behavior : ShutdownBehavior.Terminate Jul 26, 2021 8:36:59 AM INFO hudson.plugins.ec2.SlaveTemplate logProvisionInfo SlaveTemplate{description= 'Windows Test Executor' , labels= 'win32 _TestWin32 TestWin32' }. Looking for existing instances with describe-instance: {Filters: [{Name: image-id,Values: [ami-0e9385446265e3b17]}, {Name: instance-type,Values: [m5.2xlarge]}, {Name: key-name,Values: [key-jenkins1-server]}, {Name: tenancy,Values: [ default ]}, {Name: subnet-id,Values: [subnet-01aafee5250a28627]}, {Name: tag:Name,Values: [Jenkins 1 Agent]}, {Name: tag:jenkins_server_url,Values: [https: //mydomain/]}, {Name: tag:Creator,Values: [Jenkins 1]}, {Name: tag:jenkins_slave_type,Values: [demand_Windows Test Executor]}],InstanceIds: [],} Jul 26, 2021 8:36:59 AM WARNING hudson.init.impl.InstallUncaughtExceptionHandler handleException Caught unhandled exception with ID 87d82880-6169-4f03-8e1f-d65c62bc0d54 com.amazonaws.services.ec2.model.AmazonEC2Exception: You are not authorized to perform this operation. Encoded authorization failure message: TLf_BHeqxxVMdzzoKHh8YeO8DCGFdkxITkuLZFFjp2s2S36HiHOe6EFoMN3-ykhREmJqibsaDF2fFu7CA-CcOjnZ_S-MLqBgpO3embCE4HIfZwtMI5hF4FsIEgB_uYv3yxNEmCvYi3bYy03fOeIhif6Qtr5FTBPOiJs8bgodY1LD_RIE9KhI5QaVKwF_0MKW8_NWtdvHq9lrWsfkbOMgsexxr7kgSydLS0Xz6sMBGiIR6KTXwz2Ksa1KejGaPzz3_Satn-h42lru9UH21IOSGHwuu_m6ENAsmtMUKjPCWFrKruQKmBg6JEfFVk4AtB9IC-z5TE0i_D_boOQHZX28j8Lt_4QSLm3jDTezSc5XdrPzr_SM9euPjxCqvORCSBYarZJCcGm2Ti7t7hJNKLdtVQwiZJqOBUre2hv3LGWJc4Wt6YScdUENuyqjuogb16F9P_qLDpIvC5QHM25MTLaYKRSblq072-JlqX7nAfq-YF_abBORWGfEYpszEed-_KLhIp7P_mcC860Eb01uQcQmlafKRDA-gb7eR3zhqELVbxOSxWLM1OykJsaYJT_chg (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: 1924361f-0f02-41ba-a9d0-912f23511587; Proxy: null ) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) at com.amazonaws.services.ec2.AmazonEC2Client.doInvoke(AmazonEC2Client.java:29240) at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:29207) at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:29196) at com.amazonaws.services.ec2.AmazonEC2Client.executeRunInstances(AmazonEC2Client.java:28011) at com.amazonaws.services.ec2.AmazonEC2Client.runInstances(AmazonEC2Client.java:27980) at hudson.plugins.ec2.SlaveTemplate.provisionOndemand(SlaveTemplate.java:1085) at hudson.plugins.ec2.SlaveTemplate.provisionOndemand(SlaveTemplate.java:1027) at hudson.plugins.ec2.SlaveTemplate.provision(SlaveTemplate.java:840) at hudson.plugins.ec2.EC2Cloud.getNewOrExistingAvailableSlave(EC2Cloud.java:714) at hudson.plugins.ec2.EC2Cloud.doProvision(EC2Cloud.java:451) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java: ...etc...
            Hide
            geoff Geoff Dunn added a comment -

            Looks like it is a permission issue. If I give the Jenkins server role Admin it can create the agent. It's already got full EC2 and read only IAM access...

            Show
            geoff Geoff Dunn added a comment - Looks like it is a permission issue. If I give the Jenkins server role Admin it can create the agent. It's already got full EC2 and read only IAM access...
            Hide
            geoff Geoff Dunn added a comment -

            got it. Needs iam:PassRole which was in the IAM write permissions

            Show
            geoff Geoff Dunn added a comment - got it. Needs iam:PassRole which was in the IAM write permissions

              People

              Assignee:
              thoulen FABRIZIO MANFREDI
              Reporter:
              geoff Geoff Dunn
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: