4.aws
Jenkins Assume Role

✅ STEP 1 — Create the role common-jenkins-assumable-role

1️⃣ Create trust policy file (who can assume the role)

📄 trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACC-ID:user/admin"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2️⃣ Create the role (THIS CREATES THE ROLE)

aws iam create-role \
  --profile 81 \
  --role-name common-jenkins-assumable-role \
  --assume-role-policy-document file://trust-policy.json

✅ At this point the role exists.

Verify:

aws iam get-role \
  --profile 81 \
  --role-name common-jenkins-assumable-role

✅ STEP 2 — Attach permissions to the role (what Jenkins can do)

📄 common-jenkins-assumable-role-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "application-autoscaling:*",
        "rds:*",
        "firehose:*",
        "logs:*",
        "backup:*",
        "sqs:*",
        "autoscaling:*",
        "cloudfront:*",
        "secretsmanager:*",
        "ses:*",
        "kms:*",
        "grafana:*",
        "sagemaker:*",
        "cur:*",
        "kinesis:*",
        "tag:*",
        "events:*",
        "elasticfilesystem:*",
        "sns:*",
        "s3:*",
        "apigateway:*",
        "route53:ChangeResourceRecordSets",
        "cloudformation:*",
        "elasticloadbalancing:*",
        "iam:*",
        "es:*",
        "sts:AssumeRole",
        "sso:*",
        "cloudwatch:*",
        "memorydb:*",
        "ssm:*",
        "lambda:*",
        "ec2:*",
        "ecr:*",
        "eks:*",
        "elasticache:*",
        "acm:*",
        "codeartifact:*",
        "organizations:*"
      ],
      "Resource": "*"
    }
  ]
}

Attach it:

aws iam put-role-policy \
  --profile 81 \
  --role-name common-jenkins-assumable-role \
  --policy-name common-jenkins-assumable-role-policy \
  --policy-document file://common-jenkins-assumable-role-policy.json

✅ STEP 3 — (You already did) Allow admin to assume the role

You already ran this, which is correct ✅

aws iam put-user-policy \
  --profile 81 \
  --user-name admin \
  --policy-name AllowAssumeCommonJenkinsRole \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACC-ID:role/common-jenkins-assumable-role"
    }]
  }'

Verify:

aws iam list-user-policies \
  --profile 81 \
  --user-name admin

✅ STEP 4 — FINAL TEST (before Jenkins)

Run from CLI first:

aws sts assume-role \
  --profile 81 \
  --role-arn arn:aws:iam::ACC-ID:role/common-jenkins-assumable-role \
  --role-session-name admin-test

✅ If this works → Jenkins WILL work

❌ If this fails → trust policy is wrong

✅ STEP 5 — Jenkins is already correct

withAWS(
  credentials: 'jenkins-base-creds',
  role: 'common-jenkins-assumable-role',
  roleAccount: 'ACC-ID',
  region: 'us-east-1'
) {
    sh 'aws sts get-caller-identity'
}

Expected:

arn:aws:sts::ACC-ID:assumed-role/common-jenkins-assumable-role/jenkins

🧠 TL;DR (important)

  • ❌ Role did NOT exist → everything failed
  • ✅ Now you create role
  • ✅ Add trust
  • ✅ Add permissions
  • ✅ Allow admin to assume
  • ✅ Jenkins will work
GitHub AuthOpensearch Snapshot