Question about credential snapshots
James Robson
I need some help in understanding how the CredentialsSnapshotTaker works to pass a credential to an agent. I’m trying to update the hashicorp-vault-plugin to use credential snapshots to prevent access from agents but doing scm checkouts aren't working correctly and I can't tell why. You can look at my pr to see the change being made.
Most of the credentials work successfully, but attempting to use the implementation of the ‘SSH username with private key’ or 'Username and Password' with the SCM checkout and git checkout steps will fail (see below for examples and the stack trace). However you can use the ssh key with the sshagent step and you can use the username+password in withCredentials. Looking at the error message and the log messages the scm and git steps are trying to access the credential from the agent without using a snapshot. Further after adding in some log messages it doesn't look like the CredentialsSnapshotTaker classes are ever being invoked. I have looked at other plugins using Credential snapshots including a similar change to the azure-keyvault plugin, which I assume works as intended, and I don't see what would make my changes different.
Can anyone provide information on how the CredentialsSnapshotTaker system is supposed to be used or what is different about the checkout steps compared to withCredentials?
This is being run with everything at the latest version:
- jenkins 2.332.3
- Pipeline: SCM step 400.v6b_89a_1317c9a_
- SSH Agent 295.v9ca_a_1c7cc3a_a_
- Git client 3.11.0
- Git 4.11.3
The following pipeline will perform a checkout without issue:
sshagent(['my-ssh-key']) {
sh 'git clone git@my-repo'
}
However the following step will cause a stacktrace:
git branch: 'master', credentialsId: 'my-ssh-key', url: 'git@my-repo'
java.lang.IllegalStateException: Jenkins.instance is missing. Read the documentation of Jenkins.getInstanceOrNull to see what you are doing wrong.
at jenkins.model.Jenkins.get(Jenkins.java:808)
at com.datapipe.jenkins.vault.credentials.common.VaultHelper.getVaultSecret(VaultHelper.java:36)
at com.datapipe.jenkins.vault.credentials.common.VaultHelper.getVaultSecretKey(VaultHelper.java:97)
Also: hudson.remoting.Channel$CallSiteStackTrace: Remote call to agent
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1784)
at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
at hudson.remoting.Channel.call(Channel.java:1000)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:143)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:129)
at com.sun.proxy.$Proxy85.execute(Unknown Source)
at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:991)
at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1234)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1294)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:129)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:97)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:84)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
Caused: java.lang.IllegalStateException
at com.datapipe.jenkins.vault.credentials.common.VaultHelper.getVaultSecretKey(VaultHelper.java:108)
at com.datapipe.jenkins.vault.credentials.common.AbstractVaultBaseStandardCredentials.getVaultSecretKeyValue(AbstractVaultBaseStandardCredentials.java:77)
at com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl.getPrivateKey(VaultSSHUserPrivateKeyImpl.java:112)
at com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl.getPrivateKeys(VaultSSHUserPrivateKeyImpl.java:121)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createSshKeyFile(CliGitAPIImpl.java:2279)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2022)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:618)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:158)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:151)
at hudson.remoting.UserRequest.perform(UserRequest.java:211)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:376)
at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:121)
at java.base/java.lang.Thread.run(Thread.java:829)