Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66574

Provide a possibility to assume IAM role instead of credentials

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Not A Defect
    • ec2-plugin
    • None

    Description

      Use case:

      Jenkins is running in account A and needs to start ec2 worker in account B

      Currently, it is only possible to create static (bad bad bad) credentials in account B and then hardcode them in the Jenkins config

      What would be great is to have a role in account B that another role in account A could assume. Similar to how it is done in the ECS plugin. You might even be able to copy a code from there...

      Attachments

        Activity

          jjg23 Joshua added a comment -

          I would also like to see the possibility of using the task role, in the case that ECS is running in Fargate.  I believe this is a somewhat common use-case based on AWS publishing this guide earlier this yearhttps://aws.amazon.com/blogs/devops/building-a-serverless-jenkins-environment-on-aws-fargate/ combined with the fact that it's not possible to build Docker containers in Fargate by default. 

          jjg23 Joshua added a comment - I would also like to see the possibility of using the task role, in the case that ECS is running in Fargate.  I believe this is a somewhat common use-case based on AWS publishing this guide earlier this yearhttps://aws.amazon.com/blogs/devops/building-a-serverless-jenkins-environment-on-aws-fargate/ combined with the fact that it's not possible to build Docker containers in Fargate by default. 
          faller Al added a comment -

          This is already possible.  In the advanced section near the top of account configuration, there is a spot for "Arn Role".  I use this all of the time to build workers in another account without static keys.  Just need to configure the roles correctly:

          https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

          faller Al added a comment - This is already possible.  In the advanced section near the top of account configuration, there is a spot for "Arn Role".  I use this all of the time to build workers in another account without static keys.  Just need to configure the roles correctly: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

          faller aha. It is there, indeed. Somehow managed to miss it. Thanks! Will close the issue

          andrey9kin Andrey Devyatkin added a comment - faller aha. It is there, indeed. Somehow managed to miss it. Thanks! Will close the issue

          People

            andrey9kin Andrey Devyatkin
            andrey9kin Andrey Devyatkin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: