Deploy artifact from AzureDevops to AWS ECS

0

Hi team,

I followed this blog,

to use IAM role anywhere to consume AWS services, I was able to do AWS API calls from my machine via CLI and credential helper.

But my concrete use case is to deploy from an Azure DevOps instance to ASEA AWS account: for example, deploy from an Azure DevOps to AWS ECS.

I'm unsure how to use this concept of an IAM role anywhere to deploy from Azure DevOps to AWS ECS.

can anyone help me with links or blogs on how can I implement this use case and integrate Azure With AWS IAM role anywhere or if there is any other way to do it?

==> Deploy an artifact from Azure DevOps instance to Amazon ECS fargate. Or at least push from Azure to AWS ECR

appreciate your Help

Thank you!

5 Answers
1

Hey Jess, could you describe your pipeline process a little more in detail, i.e, what git repo you're using etc. No need for any specific details but the overall process so I can test on my end as well.

profile pictureAWS
Thiru A
answered 10 months ago
  • Hey Thiru A, thank you for your Help

    so I'm using Azure DevOps Repos (alm-tfs.xxxx) a simple pipeline script to :

    • build a docker image
    • push it to some artifactory
    • want to Deploy this docker image to AWS

    the Pipeline also is running in AzureDevops (alm-tfsxx)

    please let me know if you need any other specific information

0

Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

I understand that you want to use this concept of an IAM role anywhere to deploy from Azure DevOps to AWS ECS. Hence you reached out to us for assistance.

To demonstrate how IAM Roles Anywhere works,

Prerequisites:

Before you set up IAM Roles Anywhere, you need to have the following requirements in place:

>> The certificate bundle of your own CA, or an active ACM PCA CA in the same AWS Region as IAM Roles Anywhere
>> An end-entity certificate and associated private key available on the on-premises server
>> Administrator permissions for IAM roles and IAM Roles Anywhere

Setup:

Here I demonstrate how to perform the setup process by using the IAM Roles Anywhere console. Alternatively, you can use the AWS API or Command Line Interface (CLI) to perform these actions. There are three main activities here:

1. Create a trust anchor
2. Create and configure a role that trusts IAM Roles Anywhere
3. Create a profile

Please follow the steps given in the following document: https://aws.amazon.com/fr/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

Further, In your Azure DevOps project, navigate to the pipeline where you want to configure the deployment to AWS ECS. Add a new task to your pipeline that authenticates with AWS using IAM roles. Configure the task to assume the IAM role you created in the previous step 2. Provide the necessary information, such as the AWS region and the IAM role ARN (Amazon Resource Name). Also, please make sure that the IAM role has the necessary permissions to deploy and manage ECS services, task definitions, and other related resources.

Reference

[1] To create and configure a role that trusts IAM Roles Anywhere- https://aws.amazon.com/fr/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

AWS
answered 10 months ago
  • Thank you for your answer ! as I mentioned in my question I was referring to that blog to implement the concept of IAM role anywhere tocall AWS services from my laptop.

    my question is more about how to deploy from Azure Devops to ECS or ECR?

    you mentioned in your answer to install the certificate in your on-premises server ... I'm not using an on-prem server I want to deploy from Azure DevOps cloud to AWS cloud so how can I do that? where this cert should be installed how can I instruct Azure to assume the AWS role ....?

    thank you

0

Hi Jess,

You can install the cert in the Azure Devops Agent, is this something you're familiar with?

profile pictureAWS
Thiru A
answered 10 months ago
  • No, not yet. that's why I'm asking for the procedure how to...?

0

Hi Jess,

Are you using Azure Pipelines to do this? Are you using hosted or self-hosted agents?

You might be able to use Container Jobs with hosted agents as here: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops, where you need to implement the AWS Credential Helper to be able to push the built container image into ECR. Once the image is in ECR, you can create a trigger in CodePipeline: https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-ecs-ecr-codedeploy.html.

To create your agent pool in Azure: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser

Let us know how it goes!

T

profile pictureAWS
Thiru A
answered 10 months ago
0

Hi Jess,

Thanks for responding! I found this piece of AWS Documentation that might be able to help you: https://docs.aws.amazon.com/app2container/latest/UserGuide/a2c-integrations-azure-devops.html.

While you may be able to use IAM Roles Anywhere, using the Azure Devops native approach might work better.

Have you come across this link before?

T

profile pictureAWS
Thiru A
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions