I am assuming that you have already looked at the following ways described in this documentation using which you can connect to AWS services from your Azure environment. I am also assuming, none of the above methods suits your objective and hence you are looking at using IAM Roles Anywhere.
Disclaimer: I haven't used Azure DevOps pipelines much, and I haven't yet executed all the steps below in my Azure account. Please treat the below steps for your PoC purposes only.
Setup the IAM Roles anywhere in your AWS environment based on your requirement and have the certificate and private key ready to be used.
Store the certificate and private key from previous step in your Azure Key Vault.
In your pipeline step, have the necessary cli's available like aws and aws_signing_helper.
Execute aws_signing_helper cli to get the temporary credentials.
Parse the output from the last command using which you can access AWS services as per your role definition.
Cleanup the certificate and private key.
Please let me know how this works for you. Please also consider any additional security measure so that you are handling the keys in the most secure manner.
Hello there, thank you for reaching out.
I understand guidance is required to deploy artifacts from Azure DevOps to ECR or all the way to ECS fargate. You had previously explored the use of IAM roles anywhere as a method to have temporary credentials when accessing AWS services from your tasks in Azure.
I just want to specify that I do not have much expertise on Azure DevOps as all of the services I work on are AWS services. I did however take the time to dive deeper into this to see if I can be able to share documents that can help in this endeavor.
What is necessary to be able to connect with some AWS service from Aure DevOps is the AWS Toolkit for Azure DevOps, it is an addon that can be added for use in Azure DevOps : https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.aws-vsts-tools
The following are some resources that can help with what you are trying to achieve:
1.This AWS workshop gives steps guided by short videos on how to achieve this. I hope this is helpful.
Here you can see how to create a CI/CD pipeline to deploy containers to a container cluster.You can see how to integrate AWS Fargate with Azure DevOps here.
2.This is a slightly more concise article that can be considered but covers only up to pushing to ECR.
Both solutions involve the use of a AWS service connection in you AzureDevOps environmment. this mostly relies on having an IAM user with the necessary permissions, in this case for ECR or ECS. The use of role can be explored as an alternative to using an IAM role, whether as a classic IAM role, or IAM role anywhere.
I hope this this information, especially the workshop is helpful and can provide the much needed guidance on how this can be done.
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- EXPERTpublished 4 months ago