pipeline-aws-plugin icon indicating copy to clipboard operation
pipeline-aws-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Add ability to access encrypted templates in S3 bucket through cfnUpdate

Open mdforbes500 opened this issue 4 years ago • 3 comments

Description

I'm trying to use cfnUpdate in Jenkins with a template on a KMS-encrypted S3 bucket. Every time that I try to update the stack, I get this output from Jenkins:

Found 1 stacks in result 

Found stackName=[redacted] stackId=[redacted] status=CREATE_COMPLETE statusReason=[redacted] in result 

Failed to update CloudFormation stack [redacted] 

S3 error: Access Denied

For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: [redacted])

In troubleshooting this I found:

  • template URL is correct
  • BucketPolicy does not deny the Jenkins' IAM user any permissions
  • IAM permissions allows for full S3, KMS, and CFN actions on all resources within the bucket for Jenkins
  • KMS key allows Jenkins to decrypt objects in bucket

Which led me to the conclusion that cfnUpdate is trying to GET the template over HTTPS, and thus is not able to decrypt the objects within the bucket, resulting in the Validation Error for Cloudformation and the S3: Access Denied.

How I was doing this before was through a aws cloudformation deploy command, which worked. It would be really neat if I could use this plugin to use templates on an encrypted S3 bucket. Is there currently any functionality for this, and if not could you add it?

Environment

Jenkins-Version: v. 2.229

Java-Version: v. 1.8.0_242-b08

Plugin-Version: v. 1.41

Master/Slave Setup: No master slave, just an ecsnode.

mdforbes500 avatar May 05 '20 17:05 mdforbes500

Can you try allowing the IAM role to encrypt files using this key? It might try to upload a new template.

hoegertn avatar Jul 30 '20 13:07 hoegertn

I’m not sure what you mean. And I think its because I explained myself poorly before: the files being uploaded to the encrypted S3 bucket are the Cloudformation templates. I’m storing them there because they have nested stacks, and Cloudformation will only execute them from a local source or from an S3 bucket. As I’m working with a team, the bucket is preferable.

So, being able to access the encrypted bucket and execute the Cloudformation templates from the bucket is essential. If I could pass the key used to access the bucket with the cfnUpdate command, then I could access the bucket and update the templates.

mdforbes500 avatar Jul 31 '20 03:07 mdforbes500

You do not have to specify keys but you need the permissions to use them. Can you show the pipeline code you use?

hoegertn avatar Jul 31 '20 06:07 hoegertn