CloudBees Backup plugin to S3 fails if 'sts.amazonaws.com' requires a proxy

Issue

When using Instance Profile / STS to infer authentication from the environment and a proxy is needed to reach out to sts.amazonaws.com, the CloudBees Backup Plugin fails to access the bucket.

When creating a CloudBees backup job using S3, the form validation fails with the error:

ERROR: Unable to list objects of ... Please check that s3:ListBucket permission has been granted.
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ...▼

Enabling FINE logging for the org.apache.http.conn.ssl and com.amazonaws.http.conn packages shows the following error:

May 11, 2022 8:07:04 AM FINE org.apache.http.conn.ssl.SSLConnectionSocketFactory connectSocket
Connecting socket to sts.amazonaws.com/...:443 with timeout 10000
May 11, 2022 8:07:14 AM FINE com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler invoke
java.net.SocketTimeoutException: connect timed out
	at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)▼

Environment

Resolution

The issue is unresolved, and resolution depends on issues in the AWS SDK for Java: https://github.com/aws/aws-sdk-java-v2/issues/751 https://github.com/aws/aws-sdk-java/issues/2558

Workaround

Make sts.amazonaws.com accessible even without the proxy (that would be an infrastructure change, not a change in CloudBees CI), then add sts.amazonaws.com to the No proxy host configuration under Manage Jenkins → System → HTTP Proxy Configuration (formerly under Manage Jenkins → Manage Plugins → Advanced).

Tested product/plugin versions

CloudBees CI on modern cloud platforms - operations center 2.319.3.4