By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Trust policy of IAM Roleused by Azure Devops Pipeline

0

Hi team,

I want to use the IAM role to use AWS service from AzureDevops Pipeline.

In my AWS account, I don't have the right to create IAM users, so I should only use the IAM role/IAM role anywhere

in case I create a role in my AWS Account to be used by the Azure DevOps Pipeline what would be the trust policy of this IAM role (Principal section).

(I can't use the Principal as an IAM user because I can't create any IAM user in my AWS account)

In Azure DevOps Pipeline how can I use the credentials issued by this IAM role, via PowerShell in the YAML file?

I tried this script in my AzureDevops Pipeline

script: |
      aws sts assume-role --role-arn "arn:aws:iam::AWS_ACCOUNT_ID:role/ROLE_NAME" --role-session-name "AssumedRole" > assumed-role-output.json

and it still needs accessKey and SecretAccess key to run this command that will give me AccessKey and secret access key

the entire objective is to avoid creating an IAM user and using his credentials in azureDevops but rather assume a role and use temporary credentials generated by the role but seems even that to run the assume role command I still need an access key and secret access key just to run the sts assume-role commad

Thank you for your valuable help!

Topics
Security, Identity, & ComplianceDevOpsMicroservices
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementDevOpsMicroservicesIAM Policies
Language
English
Jess
asked a year ago910 views
2 Answers
0

You will need your AWS access key and secret access key to run "aws sts assume-role".
Since that command is for ASSUME-role, it cannot be used without the information of the IAM user to receive the IAM role.
Attach a policy to the IAM user that allows the user to execute the "assemble-role".
The trust policy of the IAM role to which the asset-role is assigned must be configured for use by IAM users.
I think it is essential to create an access key and secret access key to use the service from outside AWS.
https://repost.aws/knowledge-center/iam-assume-role-cli
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
0

Here some documentation on IAM Roles Anywhere.

Docs above have examples of the trust policy that is need and the helper script for getting role credentials.

profile pictureAWS
EXPERT
kentrad
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content