Skip to content
Latchkey

How to Sign In with OIDC to AWS from Azure Pipelines

An AWS service connection using workload identity federation lets Azure Pipelines assume an IAM role with no stored keys.

Configure an AWS IAM OIDC provider that trusts Azure DevOps, create a role for it, then use the AWS service connection so the CLI runs with assumed-role credentials.

Run AWS CLI through the OIDC connection

The AWSShellScript task runs under credentials assumed via the OIDC service connection.

azure-pipelines.yml
- task: AWSShellScript@1
  inputs:
    awsCredentials: aws-oidc
    regionName: us-east-1
    scriptType: inline
    inlineScript: |
      aws sts get-caller-identity
      aws s3 sync ./dist s3://my-bucket/web/

Notes

  • The AWS IAM role trust policy must trust the Azure DevOps OIDC issuer and subject.
  • No long-lived AWS access keys are stored in Azure; credentials are short-lived and assumed per run.
  • The AWS Toolkit for Azure DevOps extension provides the AWS service connection type.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →