Comments (10)
I think the comment was deleted for some reason, but opened issue #291 which captures that the AWS CLI task does not assume role.
from aws-toolkit-azure-devops.
The AWS service endpoint is currently written to use just a single access/secret key pair so this isn't possible at the moment. It's on our backlog to add in a future release.
from aws-toolkit-azure-devops.
I should also add we'd like to be able to use the instance profile of the agent to assume roles.
from aws-toolkit-azure-devops.
Ok.
A first pass at assume role support was released yesterday (v1.0.10); all tasks except for the AWS CLI and Lambda .NET Core Deployment are now able to handle having the role to assume be specified in the AWS endpoint type (the two remaining tasks will be updated soon). Interested in feedback!
For the agent using instance profile, are you envisaging the agent running in the scope of a role (ie it's already assumed and the same role is used in all tasks) or are you looking for the ability to take the credentials from the profile and use them in conjunction with a different role arn specified somewhere in the build or endpoint, so tasks can assume different roles?
from aws-toolkit-azure-devops.
Thanks so much for such a quick turnaround on that!
I think ideally we'd like it so if you don't specify any API credentials in the service endpoint, it'll fall back to the instance role of the agent. From there you'd be be able to perform any of the existing tasks, including the ability to assume other roles from the instance role.
from aws-toolkit-azure-devops.
We'll likely have to introduce a new endpoint type that doesn't have access and secret keys to get this to work, as in the current endpoint these are mandatory. The tasks would then need to detect what kind of endpoint they received and behave accordingly. It could also of course contain role data to allow use of instance profile credentials to assume a different role.
from aws-toolkit-azure-devops.
Hi @steveataws
Does "AWS Lambda .NET Core Deployment" task supports assume role? I think not, tested with below scenarios. I think it is required for users who is trying to setup suggestions done on AWS Landing Zone using VSTS and dotnet lambda global tool.
Scenario 1
Steps:
- Set up Service Connection with Access Key ID, Secret Access Key and Role To Assume
- Add S3 Upload Step, to make sure issue is not regarding IAM user or S3 Bucket policies - Worked.
- Add "AWS Lambda .NET Core Deployment" task - Failed. Error message:
The AWS Access Key Id you provided does not exist in our records.
Scenario 2
Steps:
- Included below command line arguments on "AWS Lambda .NET Core Deployment" task - Worked.
--aws-access-key-id $(AWSAccessKeyID) --aws-secret-key $(AWSSecretKey) --aws-session-token $(AwsSessionToken)
Ps. Retrieved those tokens from local.aws\cli\cache
folder.
Scenario 3
Steps
- Setup the assume role profile on AWS CLI on my local machine.
- Run below command - It worked.
dotnet lambda package-ci -ot serverless.template --region *** --s3-bucket *** --disable-interactive true --profile build
What we are trying to achieve?
As suggested on AWS Landing Zone, have Identity(IAM Users ) and Build(S3 Buckets for Lambda packages) AWS accounts. vsts-build user should assume role on Build account to PutObject to S3 Bucket, which stores Lambda Deployment packages.
from aws-toolkit-azure-devops.
@hunterwerlla any progress on this?
from aws-toolkit-azure-devops.
The letter of this issue is that that all tasks support assume role, which they do now. There seems to be discussion about other feature requests on this ticket, so please file them as different tickets if you are still having issues/have a different feature request.
from aws-toolkit-azure-devops.
@hunterwerlla, yes, sorry about that. I wasn't sure if my comment was accurate. Glad to see that you opened an issue for it.
from aws-toolkit-azure-devops.
Related Issues (20)
- Secrets Manager get secret task output not a valid json HOT 2
- AWS Service Connector
- Error when execute CLI actions using eu-south-2 region
- Pass a role ARN in runtime and use with service connection
- AWSShellScript: Keep original color when logging
- Running Terraform output command returns no result HOT 1
- S3 Upload use an endpoint
- S3 Upload Glob pattern STILL not finding files
- Azure DevOps Task 'AWS Tools for Windows PowerShell Script' - Ignore PS Module Check HOT 10
- Support for OIDC to authenticate without long lived credentials HOT 10
- Buidling code on master results in error when executing any task HOT 3
- Use s3ObjectKey or randomize S3 object name when uploading Cloudformation template
- Unable to push docker image on to amazon ECR
- AWS SSM Run Command issue with SNS Notifications
- Incompatible with IMDSv2 HOT 8
- LambdaNETCoreDeploy failing to upload to S3 with signature mismatch in version 5.8.1
- Task AWSCLI@1 fails on S3 cp command
- Ææ
- AccessDeniedException: Cross-account pass role is not allowed - but it's root account HOT 1
- ECRPushImage - Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-toolkit-azure-devops.