EC2 Fleet Plugin requires autoscaling:DescribeAutoScalingGroups permission on Jenkins controller even though awsCredentialsId are provided when initially started

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor
    • Component/s: ec2-fleet-plugin
    • None
    • Environment:

        1. Issue Details

      *Describe the bug*
      On the init/constructor of the class, they just call the client builder

      but once running
       
      it does this
       
       
          public static AwsCredentialsProvider toSdkV2CredentialsProvider(AmazonWebServicesCredentials credentials)

      {         if (credentials == null) return null;         AwsCredentials creds = credentials.resolveCredentials();         return StaticCredentialsProvider.create(creds);     }

       
      that then resolves the role correctly
       
      so that explains why ti's working 'post deploy' but not on init
       
      and i confirmed all they do on init is 
      DescribeAutoScalingGroupsResponse result = client.describeAutoScalingGroups
       

      *To Reproduce*
      1. Deploy a jenkins environment using JCasC configuration with 1 or more clouds using the awsCredentialsId parameter
      2. Environment will fail to startup
      3. Grant the jenkins task the autoscaling:DescribeAutoScalingGroups permission and restart the jenkins environment and it will start successfully

        • Logs **
          software.amazon.awssdk.services.autoscaling.model.AutoScalingException: User: (obscured) is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action (Service: AutoScaling, Status Code: 403, Request ID: (obscured)) (SDK Attempt Count: 1)

      *EC2Fleet Configuration as Code*
      ``
      clouds:
        - eC2Fleet:
            addNodeOnlyIfRunning: false
            alwaysReconnect: true
            awsCredentialsId: (obscured)
            cloudStatusIntervalSec: 10
            computerConnector:
              sSHConnector:
                credentialsId: (obscured)
                launchTimeoutSeconds: 600
                maxNumRetries: 40
                port: 22
                retryWaitTime: 15
                sshHostKeyVerificationStrategy: "nonVerifyingKeyVerificationStrategy"
            disableTaskResubmit: false
            executorScaler:
              nodeHardwareScaler:
                memoryGiBPerExecutor: 2
                vCpuPerExecutor: 1
            fleet: (obscured)
            idleMinutes: 60
            initOnlineCheckIntervalSec: 15
            initOnlineTimeoutSec: 600
            labelString: (obscured)
            maxSize: 10
            maxTotalUses: -1
            minSize: 0
            minSpareSize: 0
            name: (obscured)
            noDelayProvision: true
            numExecutors: 1
            privateIpUsed: true
            region: "us-east-2"
            restrictUsage: true
            scaleExecutorsByWeight: false
      ``

      *Anything else unique about your setup?*
      No

            Assignee:
            Chad Schmutzer
            Reporter:
            Walt
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: