Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74945

EC2 Plugin does not use Arn Role if Session Name is empty

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • ec2-plugin
    • None
    • ec2-plugin:1760.vcc93a_2ec6efe
    • ec2:1764.v71db_efb_46a_fe

      When you configure an EC2 Cloud with an IAM Role in the Arn Role field but do not specify a Session Name, the role is not used at all:

      https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094

      This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this.

      .h3 Workaround

      Always specify a Session Name when using Arn Role.

      .h3

      The Session Name is mandatory for Arn Role when using the com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName"

      Another Improvement that could help is to have the Test Connection display the (assumed) identity.

          [JENKINS-74945] EC2 Plugin does not use Arn Role if Session Name is empty

          Allan BURDAJEWICZ created issue -
          Allan BURDAJEWICZ made changes -
          Summary Original: EC2 Plugin does not use Arn Role is Session Name is ampty New: EC2 Plugin does not use Arn Role if Session Name is ampty
          Allan BURDAJEWICZ made changes -
          Summary Original: EC2 Plugin does not use Arn Role if Session Name is ampty New: EC2 Plugin does not use Arn Role if Session Name is empty
          Allan BURDAJEWICZ made changes -
          Remote Link New: This issue links to "CloudBees Internal Issue (Web Link)" [ 30278 ]
          Allan BURDAJEWICZ made changes -
          Description Original: When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:

          https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094

          This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this.

          .h3 Workaround

          Always specify a {{Session Name}} when using {{Arn Role}}.

          .h3

          * If Session Name is not mandatory, then Arn Role should be used regardless of the Sessio Name value
          * If Session Name is mandatory for Arn Role, then this should be reflected in the UI and maybe in the log with a WARNING.
           
          Another Improvement that could help is to have the Test Connection display the (assumed identity).
          New: When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:

          https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094

          This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this.

          .h3 Workaround

          Always specify a {{Session Name}} when using {{Arn Role}}.

          .h3

          The {{Session Name}} is mandatory for {{Arn Role}} when using the {{com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder}}, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName"
           
          Another Improvement that could help is to have the Test Connection display the (assumed identity).
          Allan BURDAJEWICZ made changes -
          Description Original: When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:

          https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094

          This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this.

          .h3 Workaround

          Always specify a {{Session Name}} when using {{Arn Role}}.

          .h3

          The {{Session Name}} is mandatory for {{Arn Role}} when using the {{com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder}}, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName"
           
          Another Improvement that could help is to have the Test Connection display the (assumed identity).
          New: When you configure an EC2 Cloud with an IAM Role in the {{Arn Role}} field but do not specify a {{Session Name}}, the role is not used at all:

          https://github.com/jenkinsci/ec2-plugin/blob/1760.vcc93a_2ec6efe/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L1086-L1094

          This is quite misleading. The test connection would still work if you the controller has an auth mechanism within AWS (IRSA with Kubernetes, EC2 Instance Profile, ...). And the EC2 Plugin does not give much information about this.

          .h3 Workaround

          Always specify a {{Session Name}} when using {{Arn Role}}.

          .h3

          The {{Session Name}} is mandatory for {{Arn Role}} when using the {{com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.Builder}}, so we should either reflect this requirement in the UI.. Or handle the failure it would result in, an NPE "You must specify a value for roleArn and roleSessionName"
           
          Another Improvement that could help is to have the Test Connection display the (assumed) identity.
          Allan BURDAJEWICZ made changes -
          Assignee Original: FABRIZIO MANFREDI [ thoulen ] New: Allan BURDAJEWICZ [ allan_burdajewicz ]
          Allan BURDAJEWICZ made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Allan BURDAJEWICZ made changes -
          Remote Link New: This issue links to "ec2-plugin #1016 (Web Link)" [ 30283 ]
          Allan BURDAJEWICZ made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Allan BURDAJEWICZ made changes -
          Released As New: ec2:1764.v71db_efb_46a_fe
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]

            allan_burdajewicz Allan BURDAJEWICZ
            allan_burdajewicz Allan BURDAJEWICZ
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: