AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Azure Deploy to AWS via role

0

Hi team,

my org relies on Azure devops Pipeline we want to deploy from Azure to our ECS fargate cluster but we have some consideration

  • we cannot create long-lived credentials in AWS
  • we don't have outbound internet connectivity in AWS from within our VPC

how can we deploy the built artifact from Azure to ECS without using AWS long-lived credentials?

i saw the solution of using a build agent build agents

can Azure assume a role in AWS without using build agents?

how can Azure Assume a role in AWS

but still, need AWS credentials

주제
개발자 도구컨테이너DevOps마이크로서비스
태그
AWS CodeDeploy아마존 엘라스틱 컨테이너 서비스DevOps마이크로서비스
언어
English
Jess
질문됨 일 년 전768회 조회
2개 답변
0
수락된 답변

Take a looks at Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere.

profile pictureAWS
전문가
kentrad
답변함 일 년 전
  • Jess
    일 년 전

    thank you for your answer!! I tried to follow the given article I have this error : AccessDeniedException: Unable to assume role for arn:aws:iam::1234566:role/myRole. Some RDNs failed STS validation for session tags. Issuer: [ ]; Subject: [ CN ]

    even I added these conditions to the trusted policy:

    "Condition": { "StringEquals": { "aws:PrincipalTag/x509Subject/CN": "xxxx", "aws:PrincipalTag/x509Subject/OU": "zzzzz" } }

    used an ACM PCA of type : Subordinate

  • kentrad 전문가
    일 년 전

    I think your certificate is missing some fields. According to the docs, "Certificates with empty subjects are NOT yet supported, since IAM Roles Anywhere uses the certificate subject as the key of the Subject resource to visualize and audit activities for certificates that are authenticated with IAM Roles Anywhere." https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html

  • kentrad 전문가
    일 년 전

    Can you do this command on your certificate? 'openssl x509 -text -noout -in foo.crt' and report what the Subject and Issuer are?

  • kentrad 전문가
    일 년 전

    I suspect that the '*' is causing the issue. From the docs: "In general, the allowed characters are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_tagging.html#tag-conventions

  • Jess
    일 년 전

    issued new cert without * (from ACM) now I don't have anymore the previous error message

    I have this exception without more details :

    ccessDeniedException: Unable to assume role for arn:aws:iam::123456789:role/myrole

0

Other than IAM Roles Anywhere which is a valid option, if you are using Azure DevOps and Pipelines you can also use the AWS Toolkit for Azure DevOps. After installation you can create a Service connection to AWS, through your credentials and assume a role, build agents are not required for this.

This video on deploying .NET Application in AWS using Azure DevOps has some good material you can use to replicate the setup.

AWS
Gary_S
답변함 10달 전
  • Michael A
    2달 전

    But this would still require an IAM access key pair to configure the Service connection. You can only provide an additional IAM role ARN which is then assumed by the IAM access key, if I understood the documentation correctly...

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠