How to Sign In with OIDC to AWS from Azure Pipelines
An AWS service connection using workload identity federation lets Azure Pipelines assume an IAM role with no stored keys.
Configure an AWS IAM OIDC provider that trusts Azure DevOps, create a role for it, then use the AWS service connection so the CLI runs with assumed-role credentials.
Run AWS CLI through the OIDC connection
The AWSShellScript task runs under credentials assumed via the OIDC service connection.
azure-pipelines.yml
- task: AWSShellScript@1
inputs:
awsCredentials: aws-oidc
regionName: us-east-1
scriptType: inline
inlineScript: |
aws sts get-caller-identity
aws s3 sync ./dist s3://my-bucket/web/Notes
- The AWS IAM role trust policy must trust the Azure DevOps OIDC issuer and subject.
- No long-lived AWS access keys are stored in Azure; credentials are short-lived and assumed per run.
- The AWS Toolkit for Azure DevOps extension provides the AWS service connection type.
Related guides
How to Run a Container Build in Azure PipelinesBuild and push a container image in Azure Pipelines with the Docker@2 task and an Azure Container Registry se…
How to Gate with Manual Approval in Azure PipelinesRequire a human approval before an Azure Pipelines deploy by adding an approval check to the target environme…