"Blob store groups are not enabled" when configuring S3 blobstores

[chrobotm]

Trying to create a s3 blob but am getting this error:

TASK [ansible-thoteam.nexus3-oss : Calling Groovy script create_blobstores_from_list] ************************************************************************************************************************************************************** fatal: [localhost]: FAILED! => {"changed": false, "connection": "close", "content_length": "284", "content_type": "application/json", "cookies": {}, "cookies_string": "", "date": "Fri, 24 Jan 2020 11:35:35 GMT", "elapsed": 0, "failed_when_result": true, "json": {"name": "create_blobstores_from_list", "result": "{"changed":false,"error":true,"action_details":[{"name":"s3-blobstore","type":"S3","status":"error","error_msg":"org.sonatype.nexus.rest.ValidationErrorsException: Blob store groups are not enabled"}]}"}, "msg": "OK (284 bytes)", "redirected": false, "server": "Nexus/3.20.1-01 (OSS)", "status": 200, "url": "http://localhost:8081/service/rest/v1/script/create_blobstores_from_list/run", "x_content_type_options": "nosniff"}

Looking at the documentation, blob store groups are only supported in the pro version but I'm not specifying a group in the playbook just a single blob store. This works fine manually via the console.

Playbook:

---
- name: Nexus
  hosts: localhost
  become: yes

  vars:
    nexus_timezone: 'GMT'
    nexus_admin_password: "..." #"{{ vault_nexus_admin_password }}"
    nexus_privileges:
      - name: all-repos-read
        description: 'Read & Browse access to all repos'
        repository: '*'
        actions:
          - read
          - browse
    nexus_anonymous_access: true
    nexus_delete_default_repos: true
    nexus_backup_configure: true
    nexus_backup_cron: '0 0 21 * * ?'  # See cron expressions definition in nexus create task gui
    nexus_backup_dir: '/var/nexus-backup'
    nexus_backup_dir_create: true
    nexus_restore_log: '{{ nexus_backup_dir }}/nexus-restore.log'
    nexus_backup_rotate: false
    nexus_backup_rotate_first: false
    nexus_backup_keep_rotations: 4  # Keep 4 backup rotation by default (current + last 3)
    nexus_config_pypi: true
    nexus_blobstores:
      - name: s3-blobstore
        type: S3
        config:
          bucket: mybucket
    nexus_repos_pypi_proxy:
    - name: pypi-proxy
      remote_url: 'https://pypi.org/'
      blob_store: s3-blobstore

  roles:
    - { role: geerlingguy.java }
    - { role: ansible-thoteam.nexus3-oss, tags: ['ansible-thoteam.nexus3-oss'] }

[zeitounator]

I don't see your accessKeyIdnor secretAccessKey: in your vars for the blobstore definition as shown in the documentation.

Please also note that S3 is provided as a convenience (from PRs I got from users), not tested on CI and I have absolutely no way of testing it myself. Try again with the correct settings and telll me if it changed something.

[chrobotm]

AccessKeyId and SecretAccessKey are optional when the server is hosted in AWS as the credentials come from the role attached to the ec2 instance. If this was an authentication issue I'd expect an AccessDenied error however the error is Blob store groups are not enabled which is a pro feature and I'm using the OSS (free) version. For some reason the ansible role is trying to create blob store groups which isn't necessary and not specified in the playbook.

[zeitounator]

We use the blobstore.createS3BlobStore() groovy api function for this. After digging a litlle, it turns out that the internal implementation has changed and is forcing the "Group" parameter to be set... See function in version 3.19 and now

I'll see what I can try but I don't want to promise anything. For time being, the only workaround I can propose you to test is:

1. run the role skipping provisioning
2. create the blobstore(s) manually with the exact same name as in your playbook config
3. run the role again normally. Since blobstore are immuntable, it will skip creation and still use the correct one for related repositories.

[zeitounator]

I cannot test this myself at the moment. Anyone willing to dig into this and submit a PR ?

[AlexeiZenin]

@zeitounator for testing S3 without having an S3 account Localstack can help. I've used it in the past to get a more real integration test without needing to deploy to AWS. Coupled along with Testcontainers it works pretty well locally and in a CI pipeline.

https://github.com/localstack/localstack https://www.testcontainers.org/modules/localstack/

[zeitounator]

Closing this as there as been no interraction for over 2 years. Adding this to the current CI is not on my schedule as it will probably not fit in any free CI plan anyway.