Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66574

Provide a possibility to assume IAM role instead of credentials

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: ec2-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      Use case:

      Jenkins is running in account A and needs to start ec2 worker in account B

      Currently, it is only possible to create static (bad bad bad) credentials in account B and then hardcode them in the Jenkins config

      What would be great is to have a role in account B that another role in account A could assume. Similar to how it is done in the ECS plugin. You might even be able to copy a code from there...

        Attachments

          Activity

          Hide
          jjg23 Joshua added a comment -

          I would also like to see the possibility of using the task role, in the case that ECS is running in Fargate.  I believe this is a somewhat common use-case based on AWS publishing this guide earlier this yearhttps://aws.amazon.com/blogs/devops/building-a-serverless-jenkins-environment-on-aws-fargate/ combined with the fact that it's not possible to build Docker containers in Fargate by default. 

          Show
          jjg23 Joshua added a comment - I would also like to see the possibility of using the task role, in the case that ECS is running in Fargate.  I believe this is a somewhat common use-case based on AWS publishing this guide earlier this yearhttps://aws.amazon.com/blogs/devops/building-a-serverless-jenkins-environment-on-aws-fargate/ combined with the fact that it's not possible to build Docker containers in Fargate by default. 
          Hide
          faller Al added a comment -

          This is already possible.  In the advanced section near the top of account configuration, there is a spot for "Arn Role".  I use this all of the time to build workers in another account without static keys.  Just need to configure the roles correctly:

          https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

          Show
          faller Al added a comment - This is already possible.  In the advanced section near the top of account configuration, there is a spot for "Arn Role".  I use this all of the time to build workers in another account without static keys.  Just need to configure the roles correctly: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
          Hide
          andrey9kin Andrey Devyatkin added a comment -

          Al aha. It is there, indeed. Somehow managed to miss it. Thanks! Will close the issue

          Show
          andrey9kin Andrey Devyatkin added a comment - Al aha. It is there, indeed. Somehow managed to miss it. Thanks! Will close the issue

            People

            Assignee:
            andrey9kin Andrey Devyatkin
            Reporter:
            andrey9kin Andrey Devyatkin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: