You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,17 +30,18 @@ The [User Guide](https://docs.aws.amazon.com/vsts/latest/userguide/welcome.html)
30
30
31
31
## Credentials Handling for AWS Services
32
32
33
-
To enable tasks to call AWS services when run as part of your build or release pipelines AWS credentials need to have been configured for the tasks or be available in the host process for the build agent. Note that the credentials are used specifically by the tasks when run in a build agent process, they are not related to end-user logins to your Azure DevOps instance.
33
+
To enable tasks to call AWS services when run as part of your build or release pipelines, AWS credentials need to have been configured for the tasks or be available in the host process for the build agent. Note that the credentials are used specifically by the tasks when run in a build agent process, they are not related to end-user logins to your Azure DevOps instance.
34
34
35
35
The AWS tasks support the following mechanisms for obtaining AWS credentials:
36
36
37
37
One or more service endpoints, of type _AWS_, can be created and populated with either:
38
38
39
39
- Static credentials in the form of AWS access and secret keys, and optionally data for _Assumed Role_ credentials.
40
-
- If only the _Assumed Role_ is defined but neither access key ID nor secret key, the role be assumed regardless. This is useful when using instance profices, and and profile only allows to assume a role.
41
-
- If the useOIDC is checked and you have defined an _Assumed Role_ without access key ID or secret key. This will request an OIDC token from Azure Devops and federate into AWS with than token.
40
+
- If only the _Assumed Role_ is defined but neither access key ID nor secret key, the role will be assumed regardless. This is useful when using instance profiles, and profile which only allows to assume a role.
41
+
- If `Use OIDC`is checked and you have defined an _Assumed Role_ without an access key ID or secret key, an OIDC token will be requested from Azure Devops and used to federate into AWS.
42
42
43
-
- This will require a trust policy on the _Assume Role_ similar to this :
43
+
- Using OIDC requires the creation of an OIDC Provider. Please refer to the documentation here: [Creating and managing an OIDC provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console)
44
+
- This will also require a trust policy on the _Assume Role_ similar to this :
44
45
45
46
```json
46
47
{
@@ -54,7 +55,7 @@ One or more service endpoints, of type _AWS_, can be created and populated with
@@ -63,7 +64,7 @@ One or more service endpoints, of type _AWS_, can be created and populated with
63
64
}
64
65
```
65
66
66
-
You'll also have to setup the OIDC Provider, you can use the documentation of [Creating and managing an OIDC provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console)
67
+
- A sample CloudFormation template [example_cfn.yml](./example_cfn.yaml) is available to assist with the setup and configuration.
67
68
68
69
- Variables defined on the task or build.
69
70
- If tasks are not configured with the name of a service endpoint they will attempt to obtain credentials, and optionally region, from variables defined in the build environment. The
0 commit comments