Skip to content

[#375] Allow cross-account AWS IAM role assumption into opt-in regions#376

Open
choopka wants to merge 1 commit into
jenkinsci:masterfrom
choopka:Feature_Adding_authRegion_for_IAM_Authentication
Open

[#375] Allow cross-account AWS IAM role assumption into opt-in regions#376
choopka wants to merge 1 commit into
jenkinsci:masterfrom
choopka:Feature_Adding_authRegion_for_IAM_Authentication

Conversation

@choopka
Copy link
Copy Markdown

@choopka choopka commented Mar 3, 2025
edited
Loading

Added authRegion drop-down list-box & variable to allow explicitly stating the region for authenticating with AWS IAM. This will address Issue #375 by permitting authentication with a region that is opted-in in the source AWS account, while accessing ECS clusters in an opt-in region in the target account (which is not opted-in for the source account).

The solution was adding an authRegion list-box to choose the region used for IAM authentication, which is stored in an authRegion variable. This box works in exactly the same manner as the regionName variable box, but by separating them it is now possible to authenticate with AWS IAM in region A while using ECS clusters in region B.

Testing done by:

  1. Adding authRegion to the fields in the automated test
  2. Installing the plugin and running it on a local installation of LTS Jenkins Controller (see attached screenshot)
ecs_cloud_screenshot 3. Successfully viewing and running ECS agents on ECS clusters in an opted-in region in the target account (which is not opted-in for the Jenkins Controller account), using IAM assume-role for access to the clusters.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes - none found
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

Issue jenkinsci#375: Allow cross-account AWS IAM role assumption into…
0cdea8b 
… opt-in regions

Added authRegion drop-down list-box & variable to allow explicitly
stating the region for authenticating with AWS IAM.
@choopka choopka requested a review from a team as a code owner March 3, 2025 10:40
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 3, 2025
View reviewed changes
Comment thread src/main/java/com/cloudbees/jenkins/plugins/amazonecs/ECSCloud.java
return RegionUtils.getRegion(regionName);
} else {
return Region.getRegion(Regions.US_EAST_1);
public ListBoxModel doFillAuthRegionItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check

Potential missing permission check in ECSCloud#doFillAuthRegionItems
Comment thread src/main/java/com/cloudbees/jenkins/plugins/amazonecs/ECSCloud.java
return RegionUtils.getRegion(regionName);
} else {
return Region.getRegion(Regions.US_EAST_1);
public ListBoxModel doFillAuthRegionItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation

Potential CSRF vulnerability: If ECSCloud#doFillAuthRegionItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
Comment thread src/main/java/com/cloudbees/jenkins/plugins/amazonecs/ECSCloud.java
return options;
}

public ListBoxModel doFillRegionNameItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check

Potential missing permission check in ECSCloud#doFillRegionNameItems
Comment thread src/main/java/com/cloudbees/jenkins/plugins/amazonecs/ECSCloud.java
return options;
}

public ListBoxModel doFillRegionNameItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation

Potential CSRF vulnerability: If ECSCloud#doFillRegionNameItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
Comment thread src/main/java/com/cloudbees/jenkins/plugins/amazonecs/ECSCloud.java
return options;
}

public ListBoxModel doFillClusterItems(@QueryParameter String credentialsId, @QueryParameter String assumedRoleArn, @QueryParameter String regionName) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check

Potential missing permission check in DescriptorImpl#doFillAuthRegionItems
Comment thread src/main/java/com/cloudbees/jenkins/plugins/amazonecs/ECSCloud.java
return options;
}

public ListBoxModel doFillClusterItems(@QueryParameter String credentialsId, @QueryParameter String assumedRoleArn, @QueryParameter String regionName) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation

Potential CSRF vulnerability: If DescriptorImpl#doFillAuthRegionItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
@choopka
Copy link
Copy Markdown
Author

choopka commented Mar 4, 2025

@Stericson appreciate your input here.

Many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@choopka @github-advanced-security