After installing version v139.v0b_c2603876b_c of the AWS Global Configuration plugin, our Jenkins jobs that call stash/unstash (handled by the Artifact Manager on S3 plugin) started failing with the below error. It appears the jobs are no longer assuming the role defined by IRSA (service account role annotation) and are instead using default instance profile rights which are limited by design. For reference, these jobs are running as pods in an EKS cluster.
The Artifact Manager on S3 is configured to use "IAM instance Profile/user AWS configuration". This works correctly after downgrading AWS Global Configuration to the prior plugin version 130.v35b_7b_96f53c3. I suspect some of the changes in sessionCredentialsFromInstanceProfile may be involved but need to research more.
Error seen with v139.v0b_c2603876b_c:
2024-12-17 17:26:29.555+0000 [id=86] WARNING hudson.model.Run#getArtifactsUpTo
{{hudson.AbortException: Authorization failed: User: arn:aws:sts::XXXX:assumed-role/my-role/i-iid is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my-bucket" because no identity-based policy allows the s3:ListBucket action request GET https://my-bucket.s3-us-east-1.amazonaws.com/?prefix=plugin/utilities/lighthouseci/248/artifacts/ HTTP/1.1 failed with code 403, error: AWSError{requestId='NR9PB1SP6J3QTVC0', requestToken='8JeF4F7LhuA5AY91+IY4rXXogXq3UrYxrO/5+AylR0p9nCiivrZQrBPTl6PXRYO63/kfVoiLfSeVFx7WqgNUjyiWln3lfnIajNKNplILv9Q=', code='AccessDenied', message='User: arn:aws:sts::XXXX:assumed-role/my-role/i-iid is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my-bucket" because no identity-based policy allows the s3:ListBucket action', context='
{HostId=8JeF4F7LhuA5AY91+IY4rXXogXq3UrYxrO/5+AylR0p9nCiivrZQrBPTl6PXRYO63/kfVoiLfSeVFx7WqgNUjyiWln3lfnIajNKNplILv9Q=}
'}}}
at PluginClassLoader for artifact-manager-s3//io.jenkins.plugins.artifact_manager_jclouds.JCloudsVirtualFile.run(JCloudsVirtualFile.java:336)
Bug
Major
Zach Vickery
created issue -
Basil Crow
made changes -
