solomem
commented
1 year ago 
Open solomem opened 1 year ago
solomem
commented
1 year ago
solomem
commented
1 year ago 
solomem
commented
1 year ago awsConnectionString
Getting started
Supply task credentials After you create an AWS account and IAM user, and you've made a copy of the access key and secret access key for that user, you can supply credentials to the tasks in the following ways.
Topics
Supply task credentials using a service connection Supply credentials through named variables in your build Supply standard AWS environment variables in the build agent process Supply credentials with Amazon EC2 build agents Supply task credentials using a service connection You can create a link to your AWS subscription by using the Service connections section of the Project settings for your project. Note that a service connection expects long-lived AWS credentials consisting of an access-key and secret-key pair. You can also define Assume Role credentials to scope down the access. Service connections also support the use of a session token variable. You can rotate session tokens from the service connections. For more information, see Use personal access tokens in the Microsoft Azure DevOps online documentation.
To set up a service connection
Open Azure DevOps and access the project that you want to add a service connection to.
Choose the settings icon in the lower-left side of the screen, and then choose Service connections.
From New AWS service connection, choose AWS. This opens the Add AWS service connection form.
Provide a Connection name, Access key ID, and Secret key ID, and complete any other fields you want.
When you've completed the required and any optional fields in the form, choose OK.
You can test your credentials by creating a new AWS Toolkit for Azure DevOps task in an existing build pipeline and using the connection name you defined in the Add AWS service connection form.
Supply credentials through named variables in your build You can specify credentials by using named variables. You can set these variables using values from previous jobs in the pipeline, or set them globally. Named variables can be used to get credentials from a custom credentials store.
The following are all the supported named variables:
AWS.AccessKeyID – IAM access key ID.
AWS.SecretAccessKey – IAM secret access key.
AWS.SessionToken – IAM session token.
AWS.Region – AWS Region code, for example, us-east-2.
To set up global pipeline variables
Open Azure DevOps, open the build definition, and then choose variables.
Choose Add new Variable.
Choose a variable name from one of the four supported names listed previously, and then choose the appropriate value based on your use case.
Once you save your changes, this variable will be used by all of your AWS tasks.
To set up dynamic pipeline variables
Create a job to get the variables.
Create a second job that uses your AWS credentials.
Give the first job an output variable that contains the credentials.
Make the second job rely on the first job.
For more information about Azure DevOps pipeline variables, see Define variables in the Microsoft Azure DevOps online documentation.
Supply standard AWS environment variables in the build agent process You can specify credentials with standard named AWS environment variables. These variables can be used to get credentials from a custom credentials store.
The following are all the supported standard named AWS environment variables:
AWS_ACCESS_KEY_ID – IAM access key ID.
AWS_SECRET_ACCESS_KEY – IAM secret access key.
AWS_SESSION_TOKEN – IAM session token.
AWS_ROLE_ARN – Amazon Resource Name (ARN) of the role you want to assume.
AWS_REGION – AWS Region code, for example, us-east-2.
For more information about Azure DevOps pipeline variables, see Define variables in the Microsoft Azure DevOps online documentation.
Supply credentials with Amazon EC2 build agents For build agents running on Amazon Elastic Compute Cloud (Amazon EC2) instances, the tasks can automatically obtain credential and Region information from instance metadata associated with the Amazon EC2 instance.
To use Amazon EC2 instance metadata credentials, the instance must have started with an instance profile that references a role that grants permissions to the task. This allows the role to make calls to AWS on your behalf. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances.
Set up an Amazon EC2 instance as a self-hosted Azure pipelines agent. For more infornmation, see Azure Pipelines agent in the Microsoft Azure DevOps online documentation. After that's completed, AWS tasks can be added without setting any credentials explicitly. When running on a build machine, your IAM credentials are picked up automatically.