Could not find credentials after latest release

[marcingryska]

Jenkins and plugins versions report

Environment

Plugin version of 1.136.v914ea_5948634 running on Debian 11, 
Java VM vendor: Debian, 
Java VM name: OpenJDK 64-Bit Server VM,
Java version 11.0.23,
Jenkins version 2.452.2,
OS name: Linux,
OS version:  4.19.0-26-cloud-amd64

List of plugins installed:
Active Choices Plug-in | 2.8.3 | true
Agent Status | 56.v1798df8ff586 | true
Amazon EC2 plugin | 1688.v8c07e01d657f | true
Amazon ECR plugin | 1.114.vfd22430621f5 | true
Amazon Web Services SDK :: All | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Api Gateway | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Autoscaling | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: CloudFormation | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: CloudFront | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: CodeBuild | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: CodeDeploy | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: EC2 | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: ECR | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: ECS | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: EFS | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Elastic Beanstalk | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Elastic Load Balancing V2 | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: IAM | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: kinesis | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Lambda | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Logs | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Minimal | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Organizations | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: Secrets Manager | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: SNS | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: SQS | 1.12.753-463.v071a_97315959 | true
Amazon Web Services SDK :: SSM | 1.12.753-463.v071a_97315959 | true
Analysis Model API Plugin | 12.3.3 | true
AnsiColor | 1.0.4 | true
Ant Plugin | 497.v94e7d9fffa_b_9 | true
Apache HttpComponents Client 4.x API Plugin | 4.5.14-208.v438351942757 | true
Apache HttpComponents Client 5.x API Plugin | 5.3.1-110.v77252fb_d4da_5 | true
Artifact Deployer Plugin | 1.3 | true
artifact-promotion | 0.5.2 | true
ASM API Plugin | 9.7-33.v4d23ef79fcc8 | true
Authentication Tokens API Plugin | 1.119.v50285141b_7e1 | true
Autofavorite for Blue Ocean | 1.2.5 | true
AWS Credentials Plugin | 231.v08a_59f17d742 | true
Badge | 1.13 | true
Basic Branch Build Strategies Plugin | 81.v05e333931c7d | true
Bitbucket Branch Source Plugin | 887.va_d359b_3d2d8d | true
Bitbucket Pipeline for Blue Ocean | 1.27.13 | true
Bitbucket Push and Pull Request Plugin | 3.0.2 | true
Bitbucket Server Notifier | 1.492.v1b_33f185ee18 | true
Blue Ocean | 1.27.13 | true
Blue Ocean Core JS | 1.27.13 | true
Blue Ocean Pipeline Editor | 1.27.13 | true
Bootstrap 4 API Plugin | 4.6.0-6 | true
Bootstrap 5 API Plugin | 5.3.3-1 | true
bouncycastle API Plugin | 2.30.1.78.1-248.ve27176eb_46cb_ | true
Branch API Plugin | 2.1169.va_f810c56e895 | true
Build Blocker Plugin | 166.vc82fc20b_a_ed6 | true
Build Monitor View | 1.14-883.vf620a_44eb_ec1 | true
Build Timeout | 1.33 | true
Build With Parameters | 76.v9382db_f78962 | true
BuildResultTrigger Plug-in | 0.18 | true
built-on-column | 1.4 | true
Caffeine API Plugin | 3.1.8-133.v17b_1ff2e0599 | true
Checks API plugin | 2.2.0 | true
CloudBees Credentials Plugin | 3.3 | true
CloudBees Disk Usage Simple Plugin | 203.v3f46a_7462b_1a_ | true
CloudBees Docker Build and Publish plugin | 1.4.0 | true
CloudBees Docker Custom Build Environment Plugin | 1.7.3 | true
CloudBees Docker Traceability | 1.2 | true
Cobertura Plugin | 1.17 | true
Code Coverage Plugin | 4.99.0 | true
Command Agent Launcher Plugin | 107.v773860566e2e | true
Common API for Blue Ocean | 1.27.13 | true
Commons Compress API | 1.26.1-2 | true
Commons HttpClient 3.x API | 3.1-3 | true
commons-lang3 v3.x Jenkins API Plugin | 3.14.0-76.vda_5591261cfe | true
commons-text API Plugin | 1.12.0-119.v73ef73f2345d | true
Conditional BuildStep | 1.4.3 | true
Config API for Blue Ocean | 1.27.13 | true
Config File Provider Plugin | 973.vb_a_80ecb_9a_4d0 | true
Configuration as Code Plugin | 1810.v9b_c30a_249a_4c | true
Configuration as Code Plugin - Groovy Scripting Extension | 1.1 | true
Confluence Publisher | 163.vf906edb_73cce | true
Convert To Pipeline | 1.0 | true
Copy Artifact Plugin | 746.vd2a_674fb_4f6f | true
Coverage Plugin | 1.16.1 | true
Credentials Binding Plugin | 681.vf91669a_32e45 | true
Credentials Plugin | 1361.v56f5ca_35d21c | true
CVS Plug-in | 2.19.1 | true
Dashboard for Blue Ocean | 1.27.13 | true
Dashboard View | 2.508.va_74654f026d1 | true
DataTables.net API Plugin | 2.0.8-1 | true
Deployment Dashboard Plugin for Jenkins | 1.0.10 | true
DEPRECATED Blue Ocean Executor Info | 1.27.13 | true
description setter plugin | 239.vd0a_6b_785f92d | true
Design Language | 1.27.13 | true
Display URL API | 2.204.vf6fddd8a_8b_e9 | true
Display URL for Blue Ocean | 2.4.3 | true
Docker Commons Plugin | 439.va_3cb_0a_6a_fb_29 | true
Docker Pipeline | 580.vc0c340686b_54 | true
DTKit 2 API. | 3.0.2 | true
Durable Task Plugin | 555.v6802fe0f0b_82 | true
ECharts API Plugin | 5.5.0-1 | true
EDDSA API Plugin | 0.3.0-4.v84c6f0f4969e | true
Email Extension Plugin | 1814.v404722f34263 | true
Embeddable Build Status Plugin | 487.va_0ef04c898a_2 | true
EnvInject API Plugin | 1.199.v3ce31253ed13 | true
Environment Dashboard Plugin | 1.1.10 | true
Environment Injector Plugin | 2.908.v66a_774b_31d93 | true
Events API for Blue Ocean | 1.27.13 | true
Extended Choice Parameter Plugin | 382.v5697b_32134e8 | true
Extended Read Permission Plugin | 53.v6499940139e5 | true
External Monitor Job Type Plugin | 215.v2e88e894db_f8 | true
Favorite | 2.218.vd60382506538 | true
Flexible Publish Plugin | 0.16.1 | true
Folders Plugin | 6.928.v7c780211d66e | true
Font Awesome API Plugin | 6.5.2-1 | true
Forensics API Plugin | 2.4.0 | true
Git Changelog | 3.38 | true
Git client plugin | 5.0.0 | true
Git Parameter Plug-In | 0.9.19 | true
Git Pipeline for Blue Ocean | 1.27.13 | true
Git plugin | 5.2.2 | true
Git server Plugin | 126.v0d945d8d2b_39 | true
GitHub API Plugin | 1.318-461.v7a_c09c9fa_d63 | true
GitHub Branch Source Plugin | 1789.v5b_0c0cea_18c3 | true
GitHub Pipeline for Blue Ocean | 1.27.13 | true
GitHub plugin | 1.39.0 | true
Groovy | 457.v99900cb_85593 | true
Groovy Postbuild | 228.vcdb_cf7265066 | true
Gson API Plugin | 2.11.0-41.v019fcf6125dc | true
H2 API Plugin | 11.1.4.199-30.v1c64e772f3a_c | true
Handy Uri Templates 2.x API Plugin | 2.1.8-30.v7e777411b_148 | true
HTML Publisher plugin | 1.35 | true
Hudson SCP publisher plugin | 1.8 | true
i18n for Blue Ocean | 1.27.13 | true
Infrastructure plugin for Publish Over X | 0.22 | true
Instance Identity | 185.v303dc7c645f9 | true
Ionicons API | 74.v93d5eb_813d5f | true
Jackson 2 API Plugin | 2.17.0-379.v02de8ec9f64c | true
Jakarta Activation API | 2.1.3-1 | true
Jakarta Mail API | 2.1.3-1 | true
Java JSON Web Token (JJWT) Plugin | 0.11.5-112.ve82dfb_224b_a_d | true
JavaBeans Activation Framework (JAF) API | 1.2.0-7 | true
Javadoc Plugin | 243.vb_b_503b_b_45537 | true
JavaMail API | 1.6.2-10 | true
JavaScript GUI Lib: ACE Editor bundle plugin | 1.1 | true
JavaScript GUI Lib: Handlebars bundle plugin | 3.0.8 | true
JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin | 1.2.1 | true
JavaScript GUI Lib: Moment.js bundle plugin | 1.1.1 | true
JAXB plugin | 2.3.9-1 | true
Jersey 2 API | 2.42-147.va_28a_44603b_d5 | true
JIRA Integration for Blue Ocean | 1.27.13 | true
Jira plugin | 3.13 | true
jnr-posix API Plugin | 3.1.19-2 | true
Job Configuration History Plugin | 1229.v3039470161a_d | true
Job DSL | 1.87 | true
Joda Time API Plugin | 2.12.7-29.v5a_b_e3a_82269a_ | true
jQuery plugin | 1.12.4-1 | true
JQuery3 API Plugin | 3.7.1-2 | true
JSch dependency plugin | 0.2.16-86.v42e010d9484b_ | true
JSON Api Plugin | 20240303-41.v94e11e6de726 | true
JSON Path API Plugin | 2.9.0-58.v62e3e85b_a_655 | true
JUnit Attachments Plugin | 205.vc0677977deb_0 | true
JUnit Plugin | 1265.v65b_14fa_f12f0 | true
JWT for Blue Ocean | 1.27.13 | true
LDAP Plugin | 725.v3cb_b_711b_1a_ef | true
Lockable Resources plugin | 1255.vf48745da_35d0 | true
Log Parser Plugin | 2.3.4 | true
Mailer Plugin | 472.vf7c289a_4b_420 | true
Managed Scripts | 1.5.6 | true
MapDB API Plugin | 1.0.9-40.v58107308b_7a_7 | true
Mashup Portlets | 1.1.2 | true
Mask Passwords Plugin | 173.v6a_077a_291eb_5 | true
Matrix Authorization Strategy Plugin | 3.2.2 | true
Matrix Project Plugin | 832.va_66e270d2946 | true
Maven Integration plugin | 3.23 | true
Maven Release Plug-in Plug-in | 0.16.4 | true
Mercurial plugin | 1260.vdfb_723cdcc81 | true
Metrics Plugin | 4.2.21-451.vd51df8df52ec | true
Mina SSHD API :: Common | 2.13.1-117.v2f1a_b_66ff91d | true
Mina SSHD API :: Core | 2.13.1-117.v2f1a_b_66ff91d | true
Mission Control Plugin | 0.9.16 | true
MSBuild Plugin | 1.33 | true
MSTest plugin | 1.0.5 | true
MSTestRunner plugin | 1.5.0 | true
Multijob plugin | 627.v7c23cef20a_6a | true
Multiple SCMs plugin | 0.8 | true
Next Build Number Plugin | 1.8 | true
Node Iterator API Plugin | 55.v3b_77d4032326 | true
NodeJS Plugin | 1.6.1 | true
Nuget Plugin | 1.1 | true
NUnit plugin | 485.ve8a_85357320d | true
nvm-wrapper | 0.1.7 | true
Office 365 Connector | 4.21.1 | true
Official OWASP ZAP Jenkins Plugin | 1.1.0 | true
OkHttp Plugin | 4.11.0-172.vda_da_1feeb_c6e | true
Oracle Java SE Development Kit Installer Plugin | 73.vddf737284550 | true
OWASP Dependency-Check Plugin | 5.5.1 | true
OWASP Dependency-Track Plugin | 5.0.0 | true
OWASP Markup Formatter Plugin | 162.v0e6ec0fcfcf6 | true
OWASP ZAP Plugin | 1.0.7 | true
PagerDuty Plugin | 0.7.1 | true
PAM Authentication plugin | 1.11 | true
Parameterized Remote Trigger Plugin | 3.2.0 | true
Parameterized Scheduler | 277.v61a_4b_a_49a_c5c | true
Parameterized Trigger plugin | 806.vf6fff3e28c3e | true
Performance Plugin | 962.v95a_4913d332e | true
Personalization for Blue Ocean | 1.27.13 | true
Pipeline | 600.vb_57cdd26fdd7 | true
Pipeline Graph Analysis Plugin | 216.vfd8b_ece330ca_ | true
Pipeline implementation for Blue Ocean | 1.27.13 | true
Pipeline Maven Integration Plugin | 1421.v610fa_b_e2d60e | true
Pipeline Maven Plugin API | 1421.v610fa_b_e2d60e | true
Pipeline SCM API for Blue Ocean | 1.27.13 | true
Pipeline timeline | 1.0.3 | true
Pipeline Utility Steps | 2.17.0 | true
Pipeline: API | 1316.v33eb_726c50b_a_ | true
Pipeline: AWS Steps | 1.45 | true
Pipeline: Basic Steps | 1058.vcb_fc1e3a_21a_9 | true
Pipeline: Build Step | 540.vb_e8849e1a_b_d8 | true
Pipeline: Declarative | 2.2203.v89fa_170c2b_f5 | true
Pipeline: Declarative Agent API | 1.1.1 | false
Pipeline: Declarative Extension Points API | 2.2203.v89fa_170c2b_f5 | true
Pipeline: Deprecated Groovy Libraries | 612.v55f2f80781ef | true
Pipeline: GitHub Groovy Libraries | 61.v629f2cc41d83 | true
Pipeline: Groovy | 3903.v48a_8836749e9 | true
Pipeline: Groovy Libraries | 727.ve832a_9244dfa_ | true
Pipeline: Input Step | 495.ve9c153f6067b_ | true
Pipeline: Job | 1400.v7fd111b_ec82f | true
Pipeline: Milestone Step | 119.vdfdc43fc3b_9a_ | true
Pipeline: Model API | 2.2203.v89fa_170c2b_f5 | true
Pipeline: Multibranch | 783.787.v50539468395f | true
Pipeline: Multibranch with defaults | 2.1 | true
Pipeline: Nodes and Processes | 1360.v82d13453da_a_f | true
Pipeline: REST API Plugin | 2.34 | true
Pipeline: SCM Step | 427.v4ca_6512e7df1 | true
Pipeline: Stage Step | 312.v8cd10304c27a_ | true
Pipeline: Stage Tags Metadata | 2.2203.v89fa_170c2b_f5 | true
Pipeline: Stage View Plugin | 2.34 | true
Pipeline: Step API | 678.v3ee58b_469476 | true
Pipeline: Supporting APIs | 907.v6713a_ed8a_573 | true
Plain Credentials Plugin | 183.va_de8f1dd5a_2b_ | true
Plugin Usage - Plugin | 4.5 | true
Plugin Utilities API Plugin | 4.1.0 | true
Popper.js 2 API Plugin | 2.11.6-5 | true
Popper.js API Plugin | 1.16.1-3 | true
Post build task | 1.9 | true
PowerShell plugin | 2.1 | true
Prism API Plugin | 1.29.0-15 | true
Project statistics Plugin | 23.v47fee1f77b_84 | true
promoted builds plugin | 957.vf5b_cee587563 | true
Pub-Sub "light" Bus | 1.18 | true
Publish Over CIFS | 0.16 | true
Publish Over SSH | 1.25 | true
Purge Build Queue Plugin | 88.v23b_97b_f2c7a_d | true
Pyenv Pipeline Plugin | 2.1.2 | true
Rebuilder | 332.va_1ee476d8f6d | true
Release Plugin | 2.19 | true
Resource Disposer Plugin | 0.23 | true
REST API for Blue Ocean | 1.27.13 | true
REST Implementation for Blue Ocean | 1.27.13 | true
Reverse Proxy Auth Plugin | 1.7.7 | true
Robot Framework plugin | 3.5.2 | true
Run Condition Plugin | 1.7 | true
Run Selector Plugin | 1.1.1 | true
Safe Restart Plugin | 0.7 | true
SAML Plugin | 4.464.vea_cb_75d7f5e0 | true
SCM API Plugin | 690.vfc8b_54395023 | true
Script Security Plugin | 1341.va_2819b_414686 | true
Selenium HTML report | 1.1 | true
Server Sent Events (SSE) Gateway Plugin | 1.27 | true
Shelve Project Plugin | 3.2 | true
ShiningPanda Plugin | 0.24 | true
Slave Monitor for system load average | 1.2 | true
SnakeYAML API Plugin | 2.2-111.vc6598e30cc65 | true
SonarQube Scanner for Jenkins | 2.17.2 | true
SSH Agent Plugin | 367.vf9076cd4ee21 | true
SSH Build Agents plugin | 2.973.v0fa_8c0dea_f9f | true
SSH Credentials Plugin | 337.v395d2403ccd4 | true
SSH server | 3.330.vc866a_8389b_58 | true
Stash Pullrequest Builder Plugin | 1.17 | true
Structs Plugin | 338.v848422169819 | true
Subversion Plug-in | 1269.v53185011cd9f | true
Swarm Plugin | 3.46 | true
Test Results Analyzer Plugin | 0.4.1 | true
TestComplete xUnit Plugin | 1.1 | true
TestNG Results Plugin | 835.v51ed3da_fcc35 | true
Throttle Concurrent Builds Plug-in | 2.14 | true
Timestamper | 1.27 | true
Token Macro Plugin | 400.v35420b_922dcb_ | true
Translation Assistance plugin | 1.16 | true
Trilead API Plugin | 2.147.vb_73cc728a_32e | true
Variant Plugin | 60.v7290fc0eb_b_cd | true
Version Number Plugin | 1.11 | true
Violation Comments to Bitbucket Server Plugin | 1.134 | true
Warnings Plugin | 11.3.0 | true
Web for Blue Ocean | 1.27.13 | true
WMI Windows Agents Plugin | 1.8.1 | true
Workspace Cleanup Plugin | 0.46 | true
xUnit plugin | 3.1.4 | true
ZAP Pipeline Plugin | 1.16 | true

What Operating System are you using (both controller, and any agents involved in the problem)?

Debian

Reproduction steps

A command used to work properly with previous version i.e 1.114.vfd22430621f5:

                    docker.withRegistry(config["ecr_url"], ecr_credentials_preffix + config["credentials"]) {
                        app.push("${env.BUILD_NUMBER}")
                        app.push("latest")
                        if (buildNumber != null) {
                            app.push("ssng_${env.BRANCH_NAME}_${buildNumber}")
                        }
                    }

now (version of 1.136.v914ea_5948634) it produces exception of not found credentials.

Expected Results

push to ECR successful

Actual Results

Exception occurs:
hudson.AbortException: Could not find credentials matching credentials:here

[TobiX]

Can you check if this incremental was still working? (I'm currently far away from any usable AWS credentials, so I cannot test myself)

https://repo.jenkins-ci.org/artifactory/incrementals/com/cloudbees/jenkins/plugins/amazon-ecr/1.132.v88c326c2041e/amazon-ecr-1.132.v88c326c2041e.hpi

If this is the case, the bug was most likely introduced with c45fcef and I missed some acegisecurity to spring security migration...

[marcingryska]

Thanks for a quick reaction I'll try to check it and give you a feedback then.

[marcingryska]

@TobiX I confirm it works properly with the
1.132.v88c326c2041e
so please apply it/revert into latest stable version.

[TobiX]

I'd rather not revert the change, since it is a future-proving migration. I wrote a simple test case (and documentation how to use it) for the functionality of this plugin in #182, which proves the basic functionality still works... Maybe you could provide a minimal reproducer for your usecase, so we can find what is broken?

[TobiX]

A thing which changed with the modernisation it that DomainRequirements are now passed through when looking up credentials. So if your credential domains are defined too restricted, they will not be found...

[marcingryska]

@TobiX Thank you. I see I need to check whether such test is possible in our Jenkins, as we rather do not want to set sensitive data as env variables, could you additionally explain what do you meant by saying

credential domains are defined too restricted

What kind of restriction level?

[TobiX]

credential domains are defined too restricted

What kind of restriction level?

Jenkins credential domains can have specifications regarding their validity. Those were ignored before the latest versions, but are honoured now:

(Not sure if the previous behaviour was a bug or a conscious omission, but I was under the impression that users using this feature would be aware of how it works)

[marcingryska]

Thank you, now clear to me let me check then with changed domain settings

[marcingryska]

@TobiX Indeed that was a brilliant remark, we had obsolete domains set there, now after setting them to up to date ones it works like a charm. Thank you for you help.

[TobiX]

@marcingryska Thanks for the confirmation. Maybe this needs a documentation update... Feel free to close this issue if the issue is fixed for you!