It'd be very convenient to be able to specify an S3 API key/secret in the EC2 plugin configuration, then an S3 bucket ID and file name for worker configurations. If provided, the EC2 plugin could fetch that file and run it as a setup script instead of / before running the "Init script" from the node config.

If not configured the filename could default to the node description.

Right now I'm using signed URLs but in addition to that being a pain to manage, JENKINS-23788 shows that it's also a bit tricky to get the init scripts to manage them quite right. e.g. this:

#!/bin/bash
curl -L -s "http://2q-jenkins-resources.s3.amazonaws.com/amazonlinux201209_jenkins_instancesetup.sh?AWSAccessKeyId=AKIAJZPC6FQAU4REUX2A&Expires=1670373735&Signature=nnnwC%2Fjmc8F69ZR5GGMnyf%2BVZ64%3D" | sudo bash

looks fine, but fails with a really confusing error if there are any problems fetching the script; a correct one looks more like:

set -o pipefail
if ! curl -L -s --fail 'http://2q-jenkins-resources.s3.amazonaws.com/amazonlinux201209_jenkins_instancesetup.sh?AWSAccessKeyId=AKIAJZPC6FQAU4REUX2A&Expires=1670373735&Signature=nnnwC%2Fjmc8F69ZR5GGMnyf%2BVZ64%3D' | bash; then 
  echo "Setup script failed"
fi

which is starting to get a bit copy-and-paste'y.

Just an idea - it's not something I expect to pursue at this point, but I thought it was worth putting out there.