aws-secrets-manager-credentials-provider-plugin
aws-secrets-manager-credentials-provider-plugin copied to clipboard
Published
20 hours ago •
jenkinsci
jenkinsci
SSH Keys not working with sshagent
Jenkins and plugins versions report
Environment
Jenkins: 2.303.3
OS: Linux - 4.9.0-12-amd64
Java: 11.0.13 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
allure-jenkins-plugin:2.30.3
analysis-model-api:10.8.0
ansicolor:1.0.1
ant:1.12
antisamy-markup-formatter:2.4
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-cloudformation:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-codebuild:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ec2:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecr:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-efs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-elasticbeanstalk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-iam:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-logs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-minimal:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sns:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sqs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ssm:1.12.287-357.vf82d85a_6eefd
aws-secrets-manager-credentials-provider:0.5.6
aws-secrets-manager-secret-source:0.0.1
blueocean:1.25.8
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.8
blueocean-commons:1.25.8
blueocean-config:1.25.8
blueocean-core-js:1.25.8
blueocean-dashboard:1.25.8
blueocean-display-url:2.4.1
blueocean-events:1.25.8
blueocean-git-pipeline:1.25.8
blueocean-github-pipeline:1.25.8
blueocean-i18n:1.25.8
blueocean-jwt:1.25.8
blueocean-personalization:1.25.8
blueocean-pipeline-api-impl:1.25.8
blueocean-pipeline-editor:1.25.8
blueocean-pipeline-scm-api:1.25.8
blueocean-rest:1.25.8
blueocean-rest-impl:1.25.8
blueocean-web:1.25.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-2
bouncycastle-api:2.25
branch-api:2.7.0
browserstack-integration:1.2.5
build-history-manager:1.4.0
build-keeper-plugin:1.3
build-name-setter:2.2.0
build-timestamp:1.0.3
build-with-parameters:1.6
built-on-column:1.1
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.2
cloudbees-bitbucket-branch-source:784.v7fcdc7c670f6
cloudbees-folder:6.16
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code:1512.vb_79d418d5fc8
credentials:2.6.1.1
credentials-binding:1.27.1
data-tables-api:1.11.3-4
display-url-api:2.3.5
docker-commons:1.21
docker-java-api:3.2.13-37.vf3411c9828b9
docker-plugin:1.2.10
docker-workflow:1.28
durable-task:501.ve5d4fc08b0be
echarts-api:5.2.2-1
email-ext:2.85
envinject:2.4.0
envinject-api:1.8
extended-choice-parameter:0.82
external-monitor-job:1.7
favorite:2.3.3.1
font-awesome-api:5.15.4-1
forensics-api:1.6.0
gatling:1.3.0
git:4.11.5
git-client:3.11.2
git-parameter:0.9.13
git-server:1.10
github:1.34.3.1
github-api:1.303-400.v35c2d8258028
github-branch-source:2.11.4
gradle:1.37.1
greenballs:1.15.1
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.28
http_request:1.12
jackson2-api:2.13.3-285.vc03c0256d517
jacoco:3.3.0
javadoc:1.6
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-design-language:1.25.8
jenkins-multijob-plugin:1.36
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.78.1
jobConfigHistory:2.28.1
jobcacher:264.vb_f4770b_79801
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.10
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:2.7
lockable-resources:2.12
mailer:414.vcc4c33714601
mask-passwords:3.0
matrix-auth:2.6.8
matrix-project:772.v494f19991984
maven-plugin:3.15.1
metrics:4.0.2.8
momentjs:1.1.1
multibranch-build-strategy-extension:1.0.10
okhttp-api:4.9.3-108.v0feda04578cf
pam-auth:1.6.1
parameterized-scheduler:1.0
parameterized-trigger:2.44
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-maven:3.10.0
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.8
plugin-util-api:2.16.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
pubsub-light:1.16
purge-build-queue-plugin:1.0
rebuild:1.32
resource-disposer:0.20
reverse-proxy-auth-plugin:1.7.1
run-condition:1.5
scm-api:608.vfa_f971c5a_a_e9
script-security:1138.v8e727069a_025
simple-theme-plugin:0.7
slack:2.48
snakeyaml-api:1.31-84.ve43da_fb_49d0b
sonar:2.14
sonar-quality-gates:1.3.1
sse-gateway:1.25
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.806.v2253cedd3295
sshd:3.1.0
structs:324.va_f5d6774f3a_d
timestamper:1.14
token-macro:308.v4f2b_ed62b_b_16
trilead-api:1.0.13
uno-choice:2.6.1
variant:1.4
warnings-ng:9.7.0
webhook-step:80.v6737a5fd857b
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:1153.vb_912c0e47fb_a_
workflow-basic-steps:2.24
workflow-cps:2633.v6baeedc13805
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:1145.v7f2433caa07f
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:813.vb_d7c3d2984a_0
ws-cleanup:0.43
What Operating System are you using (both controller, and any agents involved in the problem)?
Jenkins running on Docker
Reproduction steps
- Create an SSH Key credential "locally" on Jenkins, by manually creating a credential, and copy/pasting the Secret key and username. Jenkins > Manage Jenkins > Credential > Add credential
- Using the Secret Manager plugin, load a previously uploaded SSH Key credential from AWS Secret Manager
- Make sure both keys are added to Github and have the correct permissions on the repo being tested
- Test with the pipelines below for a github repository:
pipeline {
agent any
environment {
// The key below is manually entered in Jenkins
CREDENTIALS_ID_LOCAL = "xx-yy-zz"
// This one below is imported via AWS Secret Manager plugin
CREDENTIALS_ID_AWS = "global/dashboard/jenkins/dahboard_jenkins_ssh_key_api_eng_user"//
}
stages {
stage('this step works') {
steps {
sshagent(credentials: [CREDENTIALS_ID_LOCAL]) {
script {
sh(returnStdout: true, script: 'git fetch')
}
}
}
}
stage('this one does not') {
steps {
sshagent(credentials: [CREDENTIALS_ID_AWS]) {
script {
sh(returnStdout: true, script: 'git fetch')
}
}
}
}
}
}
Expected Results
Both steps should successfully execute the git fetch . The first stage works, but the second does not.
Actual Results
During the second step, we get the below message:
[ssh-agent] Using credentials EDITED-BUT -THIS-SHOWS-THE-CORRECT-SECRET-NAME
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-QHrN9yoaNjpv/agent.8848
SSH_AGENT_PID=8851
Running ssh-add (command line suppressed)
Error loading key "/var/jenkins_home/workspace/folder_location_edited@tmp/private_key_2322035249091043671.key": invalid format
Anything else?
No response
