Issue

One of my builds is getting stuck with the message ‘No valid security token’

Environment

Resolution

This message indicates that the build tried to use a Controlled Agent and wasn’t allowed to because it is not in an
approved folder.

This message can appear even if your build is not specifically asking for a Controlled Agent.
For instance, if you are making a pipeline specifying agent any and that all the agents that Jenkins can find are
Controlled Agents, then the message will be displayed.

Debugging

First thing you need to do is to execute the following script, to list all the folders and their associated grants:

import com.cloudbees.hudson.plugins.folder.Folder
import com.cloudbees.jenkins.plugins.foldersplus.SecurityGrantsFolderProperty

Jenkins.instance.getAllItems(Folder.class).each {
      println "Folder name: ${it.fullName}"
      def sg = ((Folder)it).getProperties().get(SecurityGrantsFolderProperty.class).getSecurityGrants()
      if (sg.isEmpty()) {
        println format('No security Grant')
      } else {
       sg.each {
        println format("Security Grant: ${it}")
      }
    }
}
return

def format(str) {
  def padding = ' ' * 4
  return "${padding}${str}"
}

You should then make sure that at least one security grant exists for one of the folders in the job ancestors.

Next step is to add an additional logger to Jenkins
to have a better understanding of the order in which Jenkins explored the folders to find one having rights for a given controlled agent.

The logger should have the following properties:

logger: com.cloudbees.jenkins.plugins.foldersplus
log level: FINEST

Here is an example of log you will get, showing how Jenkins is starting from the most nested folder and going up the hierarchy to find a folder that would be approved for the controlled agent.

[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Looking for owner
Apr 02, 2019 6:37:59 AM FINEST com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Found owner - Jenkins/Folder1/Folder2/Folder3/job
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1/Folder2/Folder3
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1/Folder2
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins
Apr 02, 2019 6:37:59 AM FINE com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: No valid token found => REJECT

You can find additional troubleshooting steps in the documentation for the feature.

Opening a support case

In case you open a support case, make sure to attach the output of the previous groovy script, as well as a support bundle generated after the additional logger has been activated.

References

Why is a build getting stuck with 'No valid security token'?