Issue
When using Instance Profile / STS to infer authentication from the environment and a proxy is needed to reach out to sts.amazonaws.com, the CloudBees Backup Plugin fails to access the bucket.
When creating a CloudBees backup job using S3, the form validation fails with the error:
ERROR: Unable to list objects of ... Please check that s3:ListBucket permission has been granted. com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ...
Enabling FINE logging for the org.apache.http.conn.ssl and com.amazonaws.http.conn packages shows the following error:
May 11, 2022 8:07:04 AM FINE org.apache.http.conn.ssl.SSLConnectionSocketFactory connectSocket Connecting socket to sts.amazonaws.com/...:443 with timeout 10000 May 11, 2022 8:07:14 AM FINE com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler invoke java.net.SocketTimeoutException: connect timed out at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
Resolution
The issue is unresolved, and resolution depends on issues in the AWS SDK for Java: https://github.com/aws/aws-sdk-java-v2/issues/751 https://github.com/aws/aws-sdk-java/issues/2558
Workaround
Make sts.amazonaws.com accessible even without the proxy (that would be an infrastructure change, not a change in CloudBees CI), then add sts.amazonaws.com to the No proxy host configuration under Manage Jenkins → System → HTTP Proxy Configuration (formerly under Manage Jenkins → Manage Plugins → Advanced).