By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Azure Deploy to AWS via role

0

Hi team,

my org relies on Azure devops Pipeline we want to deploy from Azure to our ECS fargate cluster but we have some consideration

  • we cannot create long-lived credentials in AWS
  • we don't have outbound internet connectivity in AWS from within our VPC

how can we deploy the built artifact from Azure to ECS without using AWS long-lived credentials?

i saw the solution of using a build agent build agents

can Azure assume a role in AWS without using build agents?

how can Azure Assume a role in AWS

but still, need AWS credentials

Topics
Developer ToolsContainersDevOpsMicroservices
Tags
AWS CodeDeployAmazon Elastic Container ServiceDevOpsMicroservices
Language
English
Jess
asked a year ago743 views
2 Answers
0
Accepted Answer

Take a looks at Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere.

profile pictureAWS
EXPERT
kentrad
answered a year ago
  • Jess
    a year ago

    thank you for your answer!! I tried to follow the given article I have this error : AccessDeniedException: Unable to assume role for arn:aws:iam::1234566:role/myRole. Some RDNs failed STS validation for session tags. Issuer: [ ]; Subject: [ CN ]

    even I added these conditions to the trusted policy:

    "Condition": { "StringEquals": { "aws:PrincipalTag/x509Subject/CN": "xxxx", "aws:PrincipalTag/x509Subject/OU": "zzzzz" } }

    used an ACM PCA of type : Subordinate

  • kentrad EXPERT
    a year ago

    I think your certificate is missing some fields. According to the docs, "Certificates with empty subjects are NOT yet supported, since IAM Roles Anywhere uses the certificate subject as the key of the Subject resource to visualize and audit activities for certificates that are authenticated with IAM Roles Anywhere." https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html

  • kentrad EXPERT
    a year ago

    Can you do this command on your certificate? 'openssl x509 -text -noout -in foo.crt' and report what the Subject and Issuer are?

  • kentrad EXPERT
    a year ago

    I suspect that the '*' is causing the issue. From the docs: "In general, the allowed characters are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_tagging.html#tag-conventions

  • Jess
    a year ago

    issued new cert without * (from ACM) now I don't have anymore the previous error message

    I have this exception without more details :

    ccessDeniedException: Unable to assume role for arn:aws:iam::123456789:role/myrole

0

Other than IAM Roles Anywhere which is a valid option, if you are using Azure DevOps and Pipelines you can also use the AWS Toolkit for Azure DevOps. After installation you can create a Service connection to AWS, through your credentials and assume a role, build agents are not required for this.

This video on deploying .NET Application in AWS using Azure DevOps has some good material you can use to replicate the setup.

AWS
Gary_S
answered 9 months ago
  • Michael A
    2 months ago

    But this would still require an IAM access key pair to configure the Service connection. You can only provide an additional IAM role ARN which is then assumed by the IAM access key, if I understood the documentation correctly...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content