Issue
-
When running CloudBees Jenkins Enterprise (CJE) on AWS installations, worker creation or removal fails with an error that includes
you are not authorized to perform this operation. For example:
or image::common-kb::denied1.png[denied1]
Environment
-
CloudBees Jenkins Enterprise (CJE) - AWS
Resolution
Something in the AWS policy is restricting the operation. A quick, though not exhaustive, check is to download the AWS CLI tool so that you can verify AWS permissions completely outside of CJE. Try these simple operations to validate access:
aws ec2 describe-instances
and
aws s3 ls
| Do not modify or remove any objects here. This is just to validate access. |
Additionally if you are using AWS profiles (and have multiple ones defined) you can add the flag for --profile so that you can explicitly test with it. For example
aws ec2 describe-instances --profile my-developer-profile
If these commands return access errors, please refer back to the policy for the minimum set of AWS operations needed for CJE operations.
Finally, when troubleshooting, remember that even if an AWS policy is created appropriately for CJE, you may still face restrictions due to other security group policies that take precedence over it. You may need the help of your organization’s security or AWS engineer to investigate fully.