- Newest
- Most votes
- Most comments
Hey Jess, could you describe your pipeline process a little more in detail, i.e, what git repo you're using etc. No need for any specific details but the overall process so I can test on my end as well.
Hello,
I hope you're doing well.
Thank you for reaching out to us with your concern.
I understand that you want to use this concept of an IAM role anywhere to deploy from Azure DevOps to AWS ECS. Hence you reached out to us for assistance.
To demonstrate how IAM Roles Anywhere works,
Prerequisites:
Before you set up IAM Roles Anywhere, you need to have the following requirements in place:
>> The certificate bundle of your own CA, or an active ACM PCA CA in the same AWS Region as IAM Roles Anywhere
>> An end-entity certificate and associated private key available on the on-premises server
>> Administrator permissions for IAM roles and IAM Roles Anywhere
Setup:
Here I demonstrate how to perform the setup process by using the IAM Roles Anywhere console. Alternatively, you can use the AWS API or Command Line Interface (CLI) to perform these actions. There are three main activities here:
1. Create a trust anchor
2. Create and configure a role that trusts IAM Roles Anywhere
3. Create a profile
Please follow the steps given in the following document: https://aws.amazon.com/fr/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
Further, In your Azure DevOps project, navigate to the pipeline where you want to configure the deployment to AWS ECS. Add a new task to your pipeline that authenticates with AWS using IAM roles. Configure the task to assume the IAM role you created in the previous step 2. Provide the necessary information, such as the AWS region and the IAM role ARN (Amazon Resource Name). Also, please make sure that the IAM role has the necessary permissions to deploy and manage ECS services, task definitions, and other related resources.
Reference
[1] To create and configure a role that trusts IAM Roles Anywhere- https://aws.amazon.com/fr/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
Thank you for your answer ! as I mentioned in my question I was referring to that blog to implement the concept of IAM role anywhere tocall AWS services from my laptop.
my question is more about how to deploy from Azure Devops to ECS or ECR?
you mentioned in your answer to install the certificate in your on-premises server ... I'm not using an on-prem server I want to deploy from Azure DevOps cloud to AWS cloud so how can I do that? where this cert should be installed how can I instruct Azure to assume the AWS role ....?
thank you
Hi Jess,
You can install the cert in the Azure Devops Agent, is this something you're familiar with?
No, not yet. that's why I'm asking for the procedure how to...?
Hi Jess,
Are you using Azure Pipelines to do this? Are you using hosted or self-hosted agents?
You might be able to use Container Jobs with hosted agents as here: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops, where you need to implement the AWS Credential Helper to be able to push the built container image into ECR. Once the image is in ECR, you can create a trigger in CodePipeline: https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-ecs-ecr-codedeploy.html.
To create your agent pool in Azure: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser
Let us know how it goes!
T
Hi Jess,
Thanks for responding! I found this piece of AWS Documentation that might be able to help you: https://docs.aws.amazon.com/app2container/latest/UserGuide/a2c-integrations-azure-devops.html.
While you may be able to use IAM Roles Anywhere, using the Azure Devops native approach might work better.
Have you come across this link before?
T
Relevant content
- asked a year ago
- asked a year ago
- asked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hey Thiru A, thank you for your Help
so I'm using Azure DevOps Repos (alm-tfs.xxxx) a simple pipeline script to :
the Pipeline also is running in AzureDevops (alm-tfsxx)
please let me know if you need any other specific information