Issue
I have a machine with Jenkins set up in GCP behind an IAP Proxy. I am using the JWT-Auth plugin for Jenkins authentication.
I would now like to call a build job from another machine in GCP. Test script:
CLIENT_ID="xxx"
EMAIL="yyy"
URL="zzz"
IAP_TOKEN=$(gcloud auth print-identity-token --audiences "${CLIENT_ID}" --token-format "full")
curl -H "Authorization: Bearer ${IAP_TOKEN}" $URL
- I successfully retrieve the JWT token for the account
- I can "GET" the home page - response 200.
However, when I want to POST and change my curl to build a job I get this:
curl -X POST -H "Authorization: Bearer ${IAP_TOKEN}" "$URL/job/abcd/build"
403 No valid crumb was included in the request
I try to include crumb in that way:
JENKINS_CRUMB=$(curl -s -H "Authorization: Bearer ${IAP_TOKEN}" "${URL}/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\":\",//crumb)" )
curl -X POST -H "${JENKINS_CRUMB}" -H "Authorization: Bearer ${IAP_TOKEN}" "${URL}/job/abc/build"
I Enable Proxy Compability in CSRF Protection, I'm trying to use token API instead of crumb but with no luck, same error.
Error 403 No valid crumb was included in the request
Jenkins log:
Found invalid crumb $CRUMB_CHAIN.
If you are calling this URL with a script, please use the API Token instead.
More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script
Thanks.
Solution
I couldn't figure out my problem, I couldn't pass proxy-authorization to jenkins. I finally used this doc: https://www.jenkins.io/doc/upgrade-guide/2.176/#SECURITY-626 . After installing the plugin and disabling session ID checking, I can use curl along with the passed crumb.
CRUMB=$(curl -s -H "Authorization: Bearer ${IAP_TOKEN}" "$JENKINS_URL/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")
curl -X POST -H "Authorization: Bearer ${IAP_TOKEN}" -H "${CRUMB}" "$JENKINS_URL/job/Phone-number-reset/build?delay=0sec"
Answered By - P.Cichocki Answer Checked By - Marilyn (WPSolving Volunteer)
