Upgrade aws-sdk version to >=1.11.704 to support IAM roles for Kubernetes Service Account

[gopisaba]

Description

ecrLogin not logging in to ECR with IAM role assigned to the Kubernetes service account

To use this feature, the aws-sdk has to be >= 1.11.704 https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

Steps to Reproduce

1. Install Kubernetes and Pipeline-aws plugins
2. Create a IAM role with all the permissions required for the Jenkins slave container
3. Create a service account and add annotation

annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::12345678901234:role/jenkins-agents

4. Run the pipeline

podTemplate(
        namespace: "namespace",
        serviceAccount: "serviceAccount",
        showRawYaml: false,
        yaml: """
        apiVersion: v1
        kind: Pod
        spec:
          containers:
            - name: "default"
              image: "slaveimage:latest"
              resources:
                limits:
                  cpu: 512m
                  memory: 800Mi
                requests:
                  cpu: 512m
                  memory: 800Mi
              tty: true
              env:
                - name: AWS_DEFAULT_REGION
                  value: "eu-west-1"
                - name: DOCKER_HOST
                  value: 'tcp://localhost:2375'
            - name: "dind"
              image: "dind:latest"
              command:
                - dockerd-entrypoint.sh
              resources:
                limits:
                  cpu: 100m
                  memory: 500Mi
                requests:
                  cpu: 50m
                  memory: 500Mi
              securityContext:
                privileged: true
              env:
                - name: DOCKER_TLS_CERTDIR
                  value: ''
          securityContext:
            fsGroup: 65534
        """,

        envVars: [
            envVar(
                key: 'JENKINS_TUNNEL',
                value: "jenkins:50000"
            )
        ]
    ) {
        node(POD_LABEL) {
           stage("Not working") {
            container('default') {
               def login = ecrLogin()
                sh "${login}"
            }
           }
           stage("Working") {
              container('default') {
                sh "\$(aws ecr get-login --no-include-email --region eu-west-1)"
            }
          }
        }
    }

Expected behavior: Expected the stage "Not working" uses the IAM role arn:aws:iam::12345678901234:role/jenkins-agents for aws ecr-login

Actual behavior: But it uses the IAM role assigned to the EKS node whereas the stage "Working" uses the IAM role arn:aws:iam::12345678901234:role/jenkins-agents for aws ecr-login

Environment

Jenkins-Version: 2.204

Java-Version:

Plugin-Version: 1.41

Master/Slave Setup: Yes

[wzooff]

Waiting for this too.

[johncblandii]

Any updates here? We could really use this. 👀

// CC @alexey-pelykh

[robcoward]

Any chance of this PR getting merged ? Not being able to use the EKS IAM roles for ServiceAccounts is being a major blocker for us being able to use this plugin.

[saintzyo]

Any chances to get this merged? It blocks us a lot from using service accunt for Jenkins agents. @hoegertn

[kanton10062006]

Waiting for this too.

[hoegertn]

The PR did not build. But I can look into it and see if I can upgrade the version.

[saintzyo]

Please, if it is possible. Thanks!

[saintzyo]

@hoegertn Sorry for bothering you, did you have a chance to look at this MR?

[pporee]

@hoegertn i would appreciate that PR too :)

[saintzyo]

@hoegertn any updates? I guess a lot of engineers will appreciate your help with this PR.