2 Answers
- Newest
- Most votes
- Most comments
0
0
Other than IAM Roles Anywhere which is a valid option, if you are using Azure DevOps and Pipelines you can also use the AWS Toolkit for Azure DevOps. After installation you can create a Service connection to AWS, through your credentials and assume a role, build agents are not required for this.
This video on deploying .NET Application in AWS using Azure DevOps has some good material you can use to replicate the setup.
answered 9 months ago
But this would still require an IAM access key pair to configure the Service connection. You can only provide an additional IAM role ARN which is then assumed by the IAM access key, if I understood the documentation correctly...
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
thank you for your answer!! I tried to follow the given article I have this error : AccessDeniedException: Unable to assume role for arn:aws:iam::1234566:role/myRole. Some RDNs failed STS validation for session tags. Issuer: [ ]; Subject: [ CN ]
even I added these conditions to the trusted policy:
"Condition": { "StringEquals": { "aws:PrincipalTag/x509Subject/CN": "xxxx", "aws:PrincipalTag/x509Subject/OU": "zzzzz" } }
used an ACM PCA of type : Subordinate
I think your certificate is missing some fields. According to the docs, "Certificates with empty subjects are NOT yet supported, since IAM Roles Anywhere uses the certificate subject as the key of the Subject resource to visualize and audit activities for certificates that are authenticated with IAM Roles Anywhere." https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html
Can you do this command on your certificate? 'openssl x509 -text -noout -in foo.crt' and report what the Subject and Issuer are?
I suspect that the '*' is causing the issue. From the docs: "In general, the allowed characters are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_tagging.html#tag-conventions
issued new cert without * (from ACM) now I don't have anymore the previous error message
I have this exception without more details :
ccessDeniedException: Unable to assume role for arn:aws:iam::123456789:role/myrole