File Credentials stored in AWS cannot be validated

[daugustus]

Jenkins and plugins versions report

Environment

Jenkins: 2.401.3
OS: Linux - 3.10.0-1160.90.1.el7.x86_64
Java: 11.0.21 - Red Hat, Inc. (OpenJDK 64-Bit Server VM)
---
ace-editor:1.1
active-directory:2.31
amazon-ecr:1.114.vfd22430621f5
amazon-ecs:1.48
analysis-model-api:11.10.0
anchore-container-scanner:1.0.25
ansicolor:1.0.2
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.2.1-1.1
artifactory:3.18.8
authentication-tokens:1.53.v1c90fd9191a_b_
authorize-project:1.7.1
aws-codepipeline:0.46
aws-credentials:218.v1b_e9466ec5da_
aws-java-sdk:1.12.529-406.vdeff15e5817d
aws-java-sdk-cloudformation:1.12.529-406.vdeff15e5817d
aws-java-sdk-codebuild:1.12.529-406.vdeff15e5817d
aws-java-sdk-ec2:1.12.529-406.vdeff15e5817d
aws-java-sdk-ecr:1.12.529-406.vdeff15e5817d
aws-java-sdk-ecs:1.12.529-406.vdeff15e5817d
aws-java-sdk-efs:1.12.529-406.vdeff15e5817d
aws-java-sdk-elasticbeanstalk:1.12.529-406.vdeff15e5817d
aws-java-sdk-iam:1.12.529-406.vdeff15e5817d
aws-java-sdk-kinesis:1.12.529-406.vdeff15e5817d
aws-java-sdk-logs:1.12.529-406.vdeff15e5817d
aws-java-sdk-minimal:1.12.529-406.vdeff15e5817d
aws-java-sdk-secretsmanager:1.12.529-406.vdeff15e5817d
aws-java-sdk-sns:1.12.529-406.vdeff15e5817d
aws-java-sdk-sqs:1.12.529-406.vdeff15e5817d
aws-java-sdk-ssm:1.12.529-406.vdeff15e5817d
aws-secrets-manager-credentials-provider:1.213.vca_3f37306fed
aws-secrets-manager-secret-source:1.72.v61781b_35c542
badge:1.9.1
blueocean:1.27.5
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.8
blueocean-commons:1.27.8
blueocean-config:1.27.8
blueocean-core-js:1.27.8
blueocean-dashboard:1.27.8
blueocean-display-url:2.4.2
blueocean-events:1.27.8
blueocean-git-pipeline:1.27.8
blueocean-github-pipeline:1.27.8
blueocean-i18n:1.27.8
blueocean-jira:1.27.8
blueocean-jwt:1.27.8
blueocean-personalization:1.27.8
blueocean-pipeline-api-impl:1.27.8
blueocean-pipeline-editor:1.27.8
blueocean-pipeline-scm-api:1.27.8
blueocean-rest:1.27.8
blueocean-rest-impl:1.27.8
blueocean-web:1.27.8
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.2-1
bouncycastle-api:2.29
branch-api:2.1128.v717130d4f816
build-name-setter:2.3.0
build-timeout:1.31
build-user-vars-plugin:1.9
build-with-parameters:76.v9382db_f78962
buildtriggerbadge:251.vdf6ef853f3f5
caffeine-api:3.1.8-133.v17b_1ff2e0599
categorized-view:1.12
checks-api:2.0.2
cisco-spark-notifier:1.1.1
cloud-stats:320.v96b_65297a_4b_b_
cloudbees-bitbucket-branch-source:832.v43175a_425ea_6
cloudbees-folder:6.848.ve3b_fd7839a_81
cobertura:1.17
code-coverage-api:4.9.0
command-launcher:106.vb_a_b_8f751309c
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1
conditional-buildstep:1.4.3
config-file-provider:959.vcff671a_4518b_
configuration-as-code:1700.v6f448841296e
convert-to-pipeline:1.0
copyartifact:714.v28a_34f8c563f
credentials:1293.vff276f713473
credentials-binding:636.v55f1275c7b_27
cucumber-reports:5.7.6
custom-markup-formatter:29.ve5d4614ca_d01
customized-build-message:1.1
dashboard-view:2.495.v07e81500c3f2
data-tables-api:1.13.6-5
display-url-api:2.200.vb_9327d658781
docker-build-publish:1.4.0
docker-commons:439.va_3cb_0a_6a_fb_29
docker-java-api:3.3.1-79.v20b_53427e041
docker-plugin:1.4
docker-workflow:563.vd5d2e5c4007f
durable-task:523.va_a_22cf15d5e0
ec2:2.0.7
echarts-api:5.4.0-6
email-ext:2.102
emailext-template:1.5
embeddable-build-status:412.v09da_db_1dee68
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:376.v2e02857547b_a_
extensible-choice-parameter:1.8.1
external-monitor-job:207.v98a_a_37a_85525
extra-columns:1.26
favorite:2.4.3
font-awesome-api:6.4.2-1
forensics-api:2.3.0
gatling:1.3.0
git:5.2.0
git-changelog:3.34
git-client:4.5.0
git-parameter:0.9.19
git-server:99.va_0826a_b_cdfa_d
github:1.37.3
github-api:1.316-451.v15738eef3414
github-branch-source:1741.va_3028eb_9fd21
gitlab-plugin:1.7.16
golang:1.4
google-login:1.7
gradle:2.8.2
groovy-label-assignment:1.2.0
groovy-postbuild:2.5
h2-api:11.1.4.199-12.v9f4244395f7a_
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.32
http_request:1.18
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
ivy:2.5
jackson2-api:2.15.3-366.vfe8d1fa_f8c87
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jdk-tool:73.vddf737284550
jenkins-design-language:1.27.8
jenkins-jira-issue-updater:1.18
jersey2-api:2.40-1
jira:3.10
jira-steps:2.0.165.v8846cf59f3db
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.84
jquery:1.12.4-1
jquery3-api:3.7.1-1
jsch:0.2.8-65.v052c39de79b_2
junit:1240.vf9529b_881428
kubernetes:4054.v2da_8e2794884
kubernetes-cli:1.12.0
kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_
kubernetes-credentials:0.11
ldap:694.vc02a_69c9787f
lockable-resources:1185.v0c528656ce04
mailer:463.vedf8358e006b_
markdown-formatter:95.v17a_965e696ee
mask-passwords:173.v6a_077a_291eb_5
matrix-auth:3.2.1
matrix-project:818.v7eb_e657db_924
maven-plugin:3.23
mercurial:1260.vdfb_723cdcc81
metrics:4.2.18-442.v02e107157925
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
node-iterator-api:49.v58a_8b_35f8363
nodejs:1.6.0
nodelabelparameter:1.12.0
notification:1.17
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pagerduty:0.7.1
pam-auth:1.10
parallel-test-executor:418.v24f9a_141d726
parameter-separator:87.va_1816d0b_39d1
parameterized-scheduler:1.2
parameterized-trigger:2.46
performance:928.vdea_0dca_55446
periodicbackup:2.0
pipeline-aws:1.43
pipeline-build-step:505.v5f0844d8d126
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:689.veec561a_dee13
pipeline-input-step:477.v339683a_8d55e
pipeline-maven:1345.va_0ef5530a_5ca_
pipeline-maven-api:1345.va_0ef5530a_5ca_
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
pipeline-stage-view:2.33
pipeline-utility-steps:2.16.0
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.6.0
pollscm:1.5
popper-api:1.16.1-3
popper2-api:2.11.6-2
prism-api:1.29.0-8
promoted-builds:892.vd6219fc0a_efb
publish-to-bitbucket:0.4
pubsub-light:1.17
rake:1.8.0
rebuild:320.v5a_0933a_e7d61
resource-disposer:0.23
run-condition:1.6
saml:4.429.v9a_781a_61f1da_
sbt:81.vb_82499046630
scm-api:676.v886669a_199a_a_
script-security:1275.v23895f409fb_d
simple-theme-plugin:160.vb_76454b_67900
slack:664.vc9a_90f8b_c24a_
snakeyaml-api:2.2-111.vc6598e30cc65
sonar:2.15
sse-gateway:1.26
ssh:2.6.1
ssh-agent:333.v878b_53c89511
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
ssh-steps:2.0.68.va_d21a_12a_6476
sshd:3.312.v1c601b_c83b_0e
stashNotifier:1.28
structs:325.vcb_307d2a_2782
swarm:3.40
throttle-concurrents:2.14
timestamper:1.26
token-macro:384.vf35b_f26814ec
trilead-api:2.84.v72119de229b_7
uno-choice:2.7
variant:59.vf075fe829ccb
warnings-ng:10.4.0
whitesource:21.1.2
workflow-aggregator:596.v8c21c963d92d
workflow-api:1283.v99c10937efcb_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3802.vd42b_fcf00b_a_c
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1326.ve643e00e9220
workflow-multibranch:756.v891d88f2cd46
workflow-remote-loader:1.6
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45
xvfb:1.2

What Operating System are you using (both controller, and any agents involved in the problem)?

Centos 7

Reproduction steps

Here is my simple pipeline to compare 2 secrets - the first is stored in System Credentials, the second in AWS Secrets:

pipeline {
agent any

environment{
localCred = credentials('localSecret')
awsCred = credentials('awsSecret')
}

stages {
stage('Compare Secrets') {
steps {
sh '''
echo "This is the directory of the secret file $localCred"
echo "This is the content of the file cat $localCred"
'''

    sh '''
        echo "This is the directory of the secret file $awsCred"
        echo "This is the content of the file `cat $awsCred`"
    '''
  }
}

}
}

Expected Results

I expected the values to be printed to the screen for comparison

Actual Results

Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 05ed4db4-fbf3-49d5-930c-a20197c59230
java.lang.NullPointerException
at io.jenkins.plugins.credentials.secretsmanager.factory.file.AwsFileCredentials.getContent(AwsFileCredentials.java:40)
at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:54)
at org.jenkinsci.plugins.credentialsbinding.impl.FileBinding.write(FileBinding.java:42)
at org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding.bindSingle(AbstractOnDiskBinding.java:38)
at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:149)
at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:132)
at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE

Anything else?

No response

Are you interested in contributing a fix?

No response

[daugustus]

This use-case comes into play when migrating to AWS secrets for credential storage.

[chriskilding]

Could you let me know how you uploaded the file credential to Secrets Manager? Also did you upload it in binary format? (This is very important for the file credential type to work; if you upload the secret as a string, Jenkins can't parse it.)

[daugustus]

Your question about uploading a binary file got me to do some digging. My previous method of configuring Jenkins used custom groovy scripts like this - https://github.com/odavid/my-bloody-jenkins/blob/master/config-handlers/CredsConfig.groovy#L116 - which required me to supply strings only. By using AWS Secrets instead via this plugin, I should use aws secretsmanager create-secret --name "mysecretname" --description "mydescription" --secret-binary fileb:///Path/FileName instead.

I cannot seem to find a simple way to convert a string to a blob using the linux CLI with Java or Javascript. Any suggestions you have on that are appreciated. Unless I can determine that method, I will see about just using string credentials directly which are simpler to troubleshoot and maintain.

Thanks Chris!