check existing IAM role permissions rather than enforcing the use of an AWS key ID and secret

[luisamador]

I have a Jenkins EC2 instance with an IAM role attached to it that has full SQS access. However the CodeCommit Trigger Plugin is forcing me to specify an AWS Key ID and Secret to authenticate against the AWS SQS that I set up. It would be nice if the plugin could somehow check the existing IAM role permissions rather than forcing me to use an AWS key ID and secret when the actual instance already has permissions to access SQS.

[ronaldtse]

@luisamador thanks for the post! Just to clarify that in your case, the Jenkins EC2 master instance itself has the IAM role attached with full access to SQS.

While for the Jenkins master we could detect if the instance has access to an SQS queue (it also depends on which SQS queues it may eventually use), but as you might be aware of, jobs (and this plugin) can also be performed on Jenkins slaves.

There are two types of slaves, (1) ones launched by Jenkins and therefore configurable by Jenkins (2) ones launched separately from Jenkins. For the first type, we could ensure that they are launched with a proper role. But for the second type, it is difficult to do so.

@phuonghuynh is this correct or is there anything we can do here?

[luisamador]

@ronaldtse In my case there aren't any Jenkins slaves involved. Thank you.

…

On Tue, 3 Apr 2018, 23:57 Ronald Tse, ***@***.***> wrote: @luisamador <https://github.com/luisamador> thanks for the post! Just to clarify that in your case, the Jenkins EC2 master instance itself has the IAM role attached with full access to SQS. While for the Jenkins master we could detect if the instance has access to an SQS queue (it also depends on which SQS queues it may eventually use), but as you might be aware of, jobs (and this plugin) can also be performed on Jenkins slaves. There are two types of slaves, (1) ones launched by Jenkins and therefore configurable by Jenkins (2) ones launched separately from Jenkins. For the first type, we could ensure that they are launched with a proper role. But for the second type, it is difficult to do so. @phuonghuynh <https://github.com/phuonghuynh> is this correct or is there anything we can do here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#51 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ARXWjGFAnZOMOYoNAsw3cdBZBP3YAIQ_ks5tk_5QgaJpZM4TFx-l> .

[phuonghuynh]

@luisamador thanks for your great suggestion, label "enhancement" added and this issue will be resolved soon.