Details

    • Similar Issues:

      Description

      AWS has recently released a feature to allow PODs in EKS/K8S to assume individual, fine grained roles. This allows certain pods to get IAM credentials to perform work in AWS. The blog post is here:

       

      https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

       

      This requires an update to SDKs because the new SDKs slightly modify the DefaultCredential chain to also look for certain environment variables which point to files that contain enough data to convert the data to IAM credentials.

       

      Currently, configuration-as-code-secret-ssm-plugin specifies it's aws-java-sdk as 1.11.341: https://github.com/jenkinsci/configuration-as-code-secret-ssm-plugin/blob/master/pom.xml#L43

       

      The aforementioned feature requires 1.11.623, ref: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

      If we were to update this sdk, we could use this plugin in jenkins that's running in a K8S or EKS pod without further config.

        Attachments

          Issue Links

            Activity

            Hide
            chriskilding Chris Kilding added a comment - - edited

            I recently got a request to downgrade the AWS SDK dependency on the Secrets Manager Credentials Provider plugin, to make it compatible with Cloudbees Core 2.176.4.3. I imagine any other plugin that uses AWS SDK, including the SSM one, would have the same constraint when used with Cloudbees Core.

            The SDK downgrade broke support for fine-grained IAM policies in my plugin, and I’ve already received a bug report from a user affected by this.

            So Cloudbees Core needs its AWS SDK dependency upgraded ASAP, to enable both of our plugins to upgrade in turn.

            Show
            chriskilding Chris Kilding added a comment - - edited I recently got a request to downgrade the AWS SDK dependency on the Secrets Manager Credentials Provider plugin, to make it compatible with Cloudbees Core 2.176.4.3. I imagine any other plugin that uses AWS SDK, including the SSM one, would have the same constraint when used with Cloudbees Core. The SDK downgrade broke support for fine-grained IAM policies in my plugin, and I’ve already received a bug report from a user affected by this. So Cloudbees Core needs its AWS SDK dependency upgraded ASAP, to enable both of our plugins to upgrade in turn.
            Hide
            patbos Patrik Boström added a comment - - edited

            The plugin uses  AWS SDK Plugin https://plugins.jenkins.io/aws-java-sdk so as long as there is a version of that plugin that bundles AWS Java SDK 1.11.623, or higher the plugin should use that.
            As long as that version of AWS SDK plugin is installed on your Jenkins the plugin should use that version.

            The latest version includes 1.11.687 in AWS SDK plugin

            Please test with latest version of AWS SDK plugin and report back.

            Show
            patbos Patrik Boström added a comment - - edited The plugin uses  AWS SDK Plugin https://plugins.jenkins.io/aws-java-sdk  so as long as there is a version of that plugin that bundles AWS Java SDK 1.11.623, or higher the plugin should use that. As long as that version of AWS SDK plugin is installed on your Jenkins the plugin should use that version. The latest version includes 1.11.687 in AWS SDK plugin Please test with latest version of AWS SDK plugin and report back.

              People

              • Assignee:
                patbos Patrik Boström
                Reporter:
                danvan Daniel V
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: