Skip to content

fix: add STS dependency for IRSA credential resolution in EKS#98

Merged
shenxianpeng merged 1 commit intojenkinsci:mainfrom
lidiams96:fix/bedrock-irsa-sts-dependency
Feb 17, 2026
Merged

fix: add STS dependency for IRSA credential resolution in EKS#98
shenxianpeng merged 1 commit intojenkinsci:mainfrom
lidiams96:fix/bedrock-irsa-sts-dependency

Conversation

@lidiams96
Copy link
Contributor

@lidiams96 lidiams96 commented Feb 17, 2026

Environment

  • Jenkins Version: 2.479.3 (production EKS deployment)
  • Plugin Version: latest main (post PR feat: add AWS Bedrock provider #95 merge)
  • Java Version: 17
  • Infrastructure: AWS EKS with IRSA (IAM Roles for Service Accounts)

Steps to Reproduce

  1. Deploy Jenkins on AWS EKS with IRSA configured for the Jenkins pod's service account
  2. Install the plugin and configure the Bedrock provider
  3. Click "Test Configuration" or trigger explainError() on a failed build
  4. The plugin uses the EKS node role instead of the pod's service account IAM role

Expected Behavior

The plugin should use the pod's IRSA credentials (via AssumeRoleWithWebIdentity) to authenticate with AWS Bedrock, inheriting the IAM role associated with the Kubernetes service account.

Actual Behavior

User: arn:aws:sts::ACCOUNT:assumed-role/prod-eks-node/i-XXXXX is not authorized to perform:
bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-1:ACCOUNT:inference-profile/eu.anthropic.claude-3-5-sonnet-20240620-v1:0
because no identity-based policy allows the bedrock:InvokeModel action
(Service: BedrockRuntime, Status Code: 403)

The assumed-role/prod-eks-node in the error shows the plugin is using the EC2 instance metadata (node role) instead of the IRSA credentials.

Root Cause

The langchain4j-bedrock module pulls in software.amazon.awssdk:bedrockruntime but not software.amazon.awssdk:sts. The AWS SDK v2 DefaultCredentialsProvider requires the sts module on the classpath to use StsAssumeRoleWithWebIdentityCredentialsProvider. Without it, the IRSA credential provider is silently skipped and the chain falls through to EC2 instance metadata.

Fix

Add software.amazon.awssdk:sts as an explicit dependency, matching the version pulled transitively by langchain4j-bedrock (2.33.5).

Logs

Configuration test failed: API request failed: User: arn:aws:sts::ACCOUNT:assumed-role/prod-eks-node/i-XXXXX
is not authorized to perform: bedrock:InvokeModel on resource:
arn:aws:bedrock:eu-west-1:ACCOUNT:inference-profile/eu.anthropic.claude-3-5-sonnet-20240620-v1:0
because no identity-based policy allows the bedrock:InvokeModel action
(Service: BedrockRuntime, Status Code: 403, Request ID: XXXXX) (SDK Attempt Count: 1)

@lidiams96 @claude
fix: add STS dependency for IRSA credential resolution in EKS
1ac47ab 
The BedrockProvider uses the AWS SDK DefaultCredentialsProvider chain,
which requires the STS module on the classpath to perform
AssumeRoleWithWebIdentity. Without it, the credential chain silently
skips IRSA and falls back to EC2 instance metadata, causing the
plugin to use the EKS node role instead of the pod's service account
IAM role.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@lidiams96 lidiams96 requested a review from a team as a code owner February 17, 2026 13:40
@shenxianpeng shenxianpeng merged commit 407bb4f into jenkinsci:main Feb 17, 2026
17 checks passed
@shenxianpeng shenxianpeng added the bug For changelog: Minor bug. Will be listed after features label Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shenxianpeng shenxianpeng shenxianpeng approved these changes

Assignees

No one assigned

Labels

bug For changelog: Minor bug. Will be listed after features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lidiams96 @shenxianpeng

Comments