FaridNeshat-TomTom
commented
3 years ago We have a similar requirement which aws-toolkit-azure-devops doesn't offer out of the box. I have multiple pipelines which each do different things. I have set up IAM roles for each of those pipelines and I have single IAM User and a single service connection for it which only allows it to assume role to those IAM roles. I have set it up this way, so there's only one place to rotate the IAM user credentials and each pipeline would have enough permission to do what it needs and nothing more.
However I have found it's not possible out of the box to use a service connection and provide an IAM role inside the pipeline YAML file and have AWS tasks assume role into that automatically.
Best would be that aws-toolkit-azure-devops tasks, would use the AWS.AssumeRoleArn, AWS.RoleSessionName and AWS.ExternalId variables when provided with a service connection or the individual tasks could take those as parameter similar to CloudFormationCreateOrUpdateStack as mentioned by @drankard .
I looked into the code this could be an easy change. getCredentials function in src/lib/awsConnectionParameters.ts would only get the credentials if no service connection was specified. This should be changed that the variables would potentially override the service connection.
Potentially awsCredentials task input could be an object that would accept assume role parameter along with the service connection name.
In many cases I use AWSShellScript to execute aws cli commands, but I haven't seen a nice solution on how to run an AWSShellScript with an assumed role other than the serviceconnection role
Just like the CloudFormationCreateOrUpdateStack take a roleArn parameter and pass it to CloudFormation it would be nice if AWSShellScript could do the same, take a roleArn parameter and assume the role and execute the cli command
Right now i need to script my way out of it. (or am i missing something ?)