En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Azure Deploy to AWS via role

0

Hi team,

my org relies on Azure devops Pipeline we want to deploy from Azure to our ECS fargate cluster but we have some consideration

  • we cannot create long-lived credentials in AWS
  • we don't have outbound internet connectivity in AWS from within our VPC

how can we deploy the built artifact from Azure to ECS without using AWS long-lived credentials?

i saw the solution of using a build agent build agents

can Azure assume a role in AWS without using build agents?

how can Azure Assume a role in AWS

but still, need AWS credentials

Sujets
Outils de développementConteneursDevOpsMicroservices
Balises
AWS CodeDeployService de conteneur élastique AmazonDevOpsMicroservices
Langue
English
Jess
demandé il y a un an768 vues
2 réponses
0
Réponse acceptée

Take a looks at Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere.

profile pictureAWS
EXPERT
kentrad
répondu il y a un an
  • Jess
    il y a un an

    thank you for your answer!! I tried to follow the given article I have this error : AccessDeniedException: Unable to assume role for arn:aws:iam::1234566:role/myRole. Some RDNs failed STS validation for session tags. Issuer: [ ]; Subject: [ CN ]

    even I added these conditions to the trusted policy:

    "Condition": { "StringEquals": { "aws:PrincipalTag/x509Subject/CN": "xxxx", "aws:PrincipalTag/x509Subject/OU": "zzzzz" } }

    used an ACM PCA of type : Subordinate

  • kentrad EXPERT
    il y a un an

    I think your certificate is missing some fields. According to the docs, "Certificates with empty subjects are NOT yet supported, since IAM Roles Anywhere uses the certificate subject as the key of the Subject resource to visualize and audit activities for certificates that are authenticated with IAM Roles Anywhere." https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html

  • kentrad EXPERT
    il y a un an

    Can you do this command on your certificate? 'openssl x509 -text -noout -in foo.crt' and report what the Subject and Issuer are?

  • kentrad EXPERT
    il y a un an

    I suspect that the '*' is causing the issue. From the docs: "In general, the allowed characters are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_tagging.html#tag-conventions

  • Jess
    il y a un an

    issued new cert without * (from ACM) now I don't have anymore the previous error message

    I have this exception without more details :

    ccessDeniedException: Unable to assume role for arn:aws:iam::123456789:role/myrole

0

Other than IAM Roles Anywhere which is a valid option, if you are using Azure DevOps and Pipelines you can also use the AWS Toolkit for Azure DevOps. After installation you can create a Service connection to AWS, through your credentials and assume a role, build agents are not required for this.

This video on deploying .NET Application in AWS using Azure DevOps has some good material you can use to replicate the setup.

AWS
Gary_S
répondu il y a 10 mois
  • Michael A
    il y a 2 mois

    But this would still require an IAM access key pair to configure the Service connection. You can only provide an additional IAM role ARN which is then assumed by the IAM access key, if I understood the documentation correctly...

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents