Deploy artifact from AzureDevops to AWS ECS or ECR


Hi team,

Please kindly read carefully the question before answering Thank you :)

I previously asked this question, but the responses I received were not relevant.

I followed this blog,

to use IAM role anywhere to consume AWS services, I was able to do AWS API calls from my machine via CLI and credential helper.

But my concrete use case is to deploy from an Azure DevOps instance to ASEA AWS account: for example, deploy from an Azure DevOps to AWS ECS.

I'm unsure how to use this concept of an IAM role anywhere to deploy from Azure DevOps to AWS ECS.

can anyone help me with links or blogs on how can I implement this use case and integrate Azure With AWS IAM role anywhere or if there is any other way to do it?

==> Deploy an artifact from Azure DevOps instance to Amazon ECS fargate. Or at least push from Azure to AWS ECR

  • is this the only way to do (IAM role anywhere) to deploy an artifact from Azure DevOps to ECS or ECR or I can use classic IAM role?
  • if I use the concept of IAM role anywhere, where can I install the certificate and the private key inside Azure?
  • azure Pipeline => produce artifact => deploy it to ECS or ECR without using long-term credentials
  • what are the steps to do in Azure side so that the Pipeline Azure can push to AWS?

Please I know how the IAM role anywhere works and I already configured it in my AWS account, my question here is not about IAM role anywhere,

it's about how can Azure DevOps Pipeline push an artifact to ECS or ECR and what are the steps to do on Azure side?

once I have the certificate and the private key where i should install them at Azure level ...?

thank you so much!

appreciate your Help

Thank you!

2 Answers

Hello Jess,

I am assuming that you have already looked at the following ways described in this documentation using which you can connect to AWS services from your Azure environment. I am also assuming, none of the above methods suits your objective and hence you are looking at using IAM Roles Anywhere.

Disclaimer: I haven't used Azure DevOps pipelines much, and I haven't yet executed all the steps below in my Azure account. Please treat the below steps for your PoC purposes only.

  1. Setup the IAM Roles anywhere in your AWS environment based on your requirement and have the certificate and private key ready to be used.

  2. Store the certificate and private key from previous step in your Azure Key Vault.

  3. In your pipeline step, have the necessary cli's available like aws and aws_signing_helper.

  4. In your pipeline step, download the certificate and private key from Azure Key Vault, you might have to write one line code to separate the certificate and private key as per this link.

  5. Execute aws_signing_helper cli to get the temporary credentials.

  6. Parse the output from the last command using which you can access AWS services as per your role definition.

  7. Cleanup the certificate and private key.

Please let me know how this works for you. Please also consider any additional security measure so that you are handling the keys in the most secure manner.

profile picture
answered 9 months ago
  • Thank you for the clarification!!

    Please if I want to use the classic IAM role role

    • what should the IAM role trust policy looks like (Principal section) (I don't have the right to create an IAM user in my AWS account)
    • how can I get credentials form this assumed role in my Azure DevOps Pipeline => using the command line PowerShell?

    Thank you


Hello there, thank you for reaching out.

I understand guidance is required to deploy artifacts from Azure DevOps to ECR or all the way to ECS fargate. You had previously explored the use of IAM roles anywhere as a method to have temporary credentials when accessing AWS services from your tasks in Azure.

I just want to specify that I do not have much expertise on Azure DevOps as all of the services I work on are AWS services. I did however take the time to dive deeper into this to see if I can be able to share documents that can help in this endeavor.

What is necessary to be able to connect with some AWS service from Aure DevOps is the AWS Toolkit for Azure DevOps, it is an addon that can be added for use in Azure DevOps :

The following are some resources that can help with what you are trying to achieve:

1.This AWS workshop gives steps guided by short videos on how to achieve this. I hope this is helpful.

Here you can see how to create a CI/CD pipeline to deploy containers to a container cluster.You can see how to integrate AWS Fargate with Azure DevOps here.

2.This is a slightly more concise article that can be considered but covers only up to pushing to ECR.

Both solutions involve the use of a AWS service connection in you AzureDevOps environmment. this mostly relies on having an IAM user with the necessary permissions, in this case for ECR or ECS. The use of role can be explored as an alternative to using an IAM role, whether as a classic IAM role, or IAM role anywhere.

I hope this this information, especially the workshop is helpful and can provide the much needed guidance on how this can be done.

Thanks :)

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions