-
Bug
-
Resolution: Fixed
-
Major
-
None
-
ec2-plugin:1760.vcc93a_2ec6efe
-
-
ec2:1764.v71db_efb_46a_fe
When you configure an EC2 Cloud with an IAM Role in the Arn Role field but do not specify a Session Name, the role is not used at all:
This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this.
.h3 Workaround
Always specify a Session Name when using Arn Role.
.h3
The Session Name is mandatory for Arn Role when using the com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName"
Another Improvement that could help is to have the Test Connection display the (assumed) identity.
- links to
[JENKINS-74945] EC2 Plugin does not use Arn Role if Session Name is empty
Summary | Original: EC2 Plugin does not use Arn Role is Session Name is ampty | New: EC2 Plugin does not use Arn Role if Session Name is ampty |
Summary | Original: EC2 Plugin does not use Arn Role if Session Name is ampty | New: EC2 Plugin does not use Arn Role if Session Name is empty |
Remote Link | New: This issue links to "CloudBees Internal Issue (Web Link)" [ 30278 ] |
Description |
Original:
When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:
https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094 This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this. .h3 Workaround Always specify a {{Session Name}} when using {{Arn Role}}. .h3 * If Session Name is not mandatory, then Arn Role should be used regardless of the Sessio Name value * If Session Name is mandatory for Arn Role, then this should be reflected in the UI and maybe in the log with a WARNING. Another Improvement that could help is to have the Test Connection display the (assumed identity). |
New:
When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:
https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094 This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this. .h3 Workaround Always specify a {{Session Name}} when using {{Arn Role}}. .h3 The {{Session Name}} is mandatory for {{Arn Role}} when using the {{com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder}}, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName" Another Improvement that could help is to have the Test Connection display the (assumed identity). |
Description |
Original:
When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:
https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094 This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this. .h3 Workaround Always specify a {{Session Name}} when using {{Arn Role}}. .h3 The {{Session Name}} is mandatory for {{Arn Role}} when using the {{com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder}}, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName" Another Improvement that could help is to have the Test Connection display the (assumed identity). |
New:
When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:
https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094 This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this. .h3 Workaround Always specify a {{Session Name}} when using {{Arn Role}}. .h3 The {{Session Name}} is mandatory for {{Arn Role}} when using the {{com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder}}, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName" Another Improvement that could help is to have the Test Connection display the (assumed) identity. |
Assignee | Original: FABRIZIO MANFREDI [ thoulen ] | New: Allan BURDAJEWICZ [ allan_burdajewicz ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Remote Link | New: This issue links to "ec2-plugin #1016 (Web Link)" [ 30283 ] |
Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |