Login
September 24, 2025|
Voiced by Amazon Polly |
Introduction
Modern DevOps practices demand secure, automated pipelines without storing long-lived credentials. With OpenID Connect (OIDC) federation, Azure DevOps pipelines can dynamically assume roles in AWS, GCP, or other cloud providers, eliminating the need for static access keys.
This guide focuses on:
- Overview of Azure Pipelines with OIDC
- Setting up a self-hosted Linux Azure DevOps agent
- Configuring OIDC federation with cloud identity providers
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Prerequisites
Before you begin, ensure you have the following:
- AWS Account: With permissions to create IAM roles and identity providers.
- Azure DevOps Project: With access to configure service connections.
- AWS Toolkit for Azure DevOps: Version 1.15.0 or higher installed in your Azure DevOps project.
Overview of Azure Pipelines with OIDC
Azure Pipelines automates the build, test, and deployment process. Traditionally, pipelines required static credentials to access cloud resources. OIDC changes this by:
- Issuing short-lived credentials at runtime
- Eliminating the need to store secrets in pipelines
- Supporting least-privilege access to cloud services
Workflow Example:
- Developer pushes code to Azure Repos
- Pipeline triggers on a commit
- Self-hosted agent picks up the job
- Pipeline uses OIDC to assume a cloud role securely
- Pipeline performs cloud operations (deploy, configure, test)
Setting up a self-hosted Linux agent
Azure DevOps pipelines run on Microsoft-hosted or self-hosted agents (Windows/Linux).
- Microsoft-hosted agents already include common build tools and have outbound internet access to AWS.
- Self-hosted agents must:
- Have outbound internet access on port 443
- Run with sufficient privileges to install AWS CLI or Toolkit
- Be secured to prevent unauthorized pipeline executions
Restrict pipeline edit access to authorized team members and configure service connections with least privilege.
Install Dependencies
On your Linux server/VM (Ubuntu example):
|
1 2 3 4 5 6 7 8 9 10 11 |
# Update system sudo apt update && sudo apt upgrade -y # Install required tools sudo apt install -y unzip curl wget git # Install AWS CLI v2 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install aws --version |
Download and Configure Azure Pipelines Agent
- Go to Azure DevOps → Project Settings → Agent Pools → New Agent
- Select Linux and download the agent package
- Extract and configure:
- Create a Directory for the Agent
|
1 2 |
mkdir myagent && cd myagent tar zxvf ~/Downloads/vsts-agent-linux-x64-4.261.0.tar.gz |
2. Configure the agent
|
1 2 |
mkdir myagent && cd myagent tar zxvf ~/Downloads/vsts-agent-linux-x64-4.261.0.tar.gz |
You will be asked for:
- Azure DevOps URL (e.g., https://dev.azure.com/myorg/)
- PAT (Personal Access Token) with Agent Pools → Read & Manage
- Agent Pool name
To run the agent, run the below command to run the agent interactively
|
1 |
./run.sh |
Setting Up OIDC Federation Between Azure DevOps and AWS
Step 1: Create a Service Connection in Azure DevOps
This step establishes a connection between Azure DevOps and AWS using OIDC.
- Navigate to Project Settings in Azure DevOps.
- Under Pipelines, select Service Connections.
- Click on New service connection and choose AWS.
- In the Role to assume field, enter the ARN of the AWS IAM role you will create in AWS.
(e.g., arn:aws:iam::123456789012:role/az-serviceconnection). - Check the Use OIDC box.
- Name the service connection (e.g., aws-oidc-federation).
- Save the connection.
Step 2: Obtain the Organization GUID from Azure DevOps
The Organization GUID is required to configure the identity provider in AWS.
- Create a new pipeline in Azure DevOps using the YAML editor.
- Use the following YAML template:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
trigger: - main pool: name: Default variables: aws.rolecredential.maxduration: "3600" steps: - task: AWSCLI@1 displayName: "Running aws-cli get-caller-identity" inputs: awsCredentials: 'aws-oidc-federation' regionName: 'us-east-1' command: 'sts get-caller-identity' |
- Run the pipeline.
- In the pipeline logs, look for the sts get-caller-identity output.
- Extract the arn field containing the Organization GUID in the format vstoken.dev.azure.com/{OrganizationGUID}.
Step 3: Configure an OpenID Connect Identity Provider in AWS
This step allows AWS to trust Azure DevOps as an identity provider.
- In the AWS Management Console, navigate to IAM.
- Select Identity providers and click on Add provider.
- Choose OpenID Connect as the provider type.
- For the Provider URL, enter https://vstoken.dev.azure.com/{OrganizationGUID} (replace {OrganizationGUID} with the actual GUID obtained earlier).
- Set the Audience to api://AzureADTokenExchange.
- Click Add provider.
Step 4: Create an AWS IAM Role for Azure DevOps
This role defines the permissions Azure DevOps will have when interacting with AWS.
- In the AWS Management Console, navigate to IAM.
- Select Roles and click on Create role.
- Choose Web Identity as the trusted entity type.
- Select the identity provider you just created.
- For the Audience, enter api://AzureADTokenExchange.
- Attach the necessary policies to the role, such as AmazonS3FullAccess, AmazonEC2ReadOnlyAccess, etc., depending on your requirements.
- Name the role (e.g., az-serviceconnection).
- Click Create role.
Step 5: Update the Trust Relationship of the AWS IAM Role
This step allows the Azure DevOps service connection to assume the AWS IAM role.
- In the AWS Management Console, navigate to AWS IAM.
- Select Roles and choose the role you created (azdo-federation).
- Under the Trust relationships tab, click on Edit trust relationship.
- Replace the existing policy with the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/vstoken.dev.azure.com/{OrganizationGUID}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:aud": "api://AzureADTokenExchange", "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:sub": "sc://{OrganizationName}/{ProjectName}/{ServiceConnectionName}" } } |
5. Click Update Trust Policy.
Step 6: Execute the Existing YAML Pipeline in Azure DevOps
With the federation configured, trigger the pipeline you created in Step 2 to validate the integration. Once completed successfully, review the pipeline logs to verify that the sts get-caller-identity command runs without issues. This confirms that the federation is functioning correctly.
Conclusion
By following these steps, you’ve successfully federated Azure DevOps with AWS using OpenID Connect. This setup allows your Azure DevOps pipelines to authenticate with AWS securely, leveraging temporary credentials and eliminating the need for static IAM credentials.
Drop a query if you have any questions regarding Azure DevOps or AWS and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. What is the advantage of using OpenID Connect (OIDC) over long-lived AWS access keys in Azure DevOps?
ANS: – OIDC eliminates the need to manage and rotate long-lived AWS credentials. Instead, it enables secure, short-lived, automatically refreshed tokens, reducing security risks.
2. Do I still need an AWS access key and secret key for the pipeline after setting up OIDC federation?
ANS: – No. Once federation is set up, the pipeline assumes an AWS IAM role in AWS via OIDC, removing the need for static credentials in Azure DevOps.
3. What if my pipeline fails with a permissions error after federation?
ANS: – This usually means the IAM role does not have the correct permissions, or the trust policy is missing required claims. Double-check the IAM trust policy and the role’s permissions policy.
WRITTEN BY Aishwarya M
Aishwarya M works as a Cloud Solutions Architect – DevOps & Kubernetes at CloudThat. She is a proficient DevOps professional with expertise in designing scalable, secure, and automated infrastructure solutions across multi-cloud environments. Aishwarya specializes in leveraging tools like Kubernetes, Terraform, CI/CD pipelines, and monitoring stacks to streamline software delivery and ensure high system availability. She has a deep understanding of cloud-native architectures and focuses on delivering efficient, reliable, and maintainable solutions. Outside of work, Aishwarya enjoys traveling and cooking, exploring new places and cuisines while staying updated with the latest trends in cloud and DevOps technologies.
PREV
Comments