Azure CD Pipeline connectivity with AWS using IAM Role and OIDC is not working

Question

Azure CD Pipeline connectivity with AWS using IAM Role and OIDC is not working

Yadav, Anuj 0

Hi Team,

I am working on a use case where i need to setup the Azure CD pipeline and establish the connectivity while the yaml pipeline will be running ,

i am using service connection to make the connectivity with AWS and the approach i am following is using IAM Role and OIDC , for which i created Identity provider and uses the identity provide while creating IAM Role.

but my CD pipeline is not able to fetch the temporary session token and i noticed that the connection type is AWS and Authentication type is BASIC authentication.

Can you pls tell me how to create service connection with Workload Identity federation like what i can see currently for Azure resource Manager.

User's image

As per my understanding the Authentication Type should be 'Workload Identity federation' instead of Basic authentication..

Error message-
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-01T11:52:34.39+00:00
Hi Yadav, Anuj

If you're using OIDC with IAM Role for authentication between Azure DevOps (ADO) and AWS, then your Azure DevOps service connection must be configured with Workload Identity Federation, not Basic Authentication.

Could you please follow the below steps:

In the AWS Console go to IAM -> Identity Providers -> Click "Add Provider" -> Choose OIDC -> Set Provider URL to: https://vstoken.dev.azure.com/{your-org-ID}, Audience: Set to: https://dev.azure.com/<your-org-name>

In AWS IAM, create a role:

Trusted entity type: Web Identity

Identity provider: Select the OIDC provider you just created.

Audience: https://dev.azure.com/<your-org-name>

Add a trust policy similar to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<account-id>:oidc-provider/vstoken.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "vstoken.actions.githubusercontent.com:sub": "repo:<org-name>/<project-name>:ref:refs/heads/<branch-name>" } } } ] }

Currently AWS is not available in DevOps Service Connections UI.

Use Terraform or custom script to inject the token during pipeline runtime.

Additional References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

Hope this helps!

Please Let me know if you have any queries.
Yadav, Anuj 0 Reputation points

2025-07-01T14:00:59.1666667+00:00

Hi Durga Reshma Malthi- Thanks for your reply.
I have setup the Identity provider on AWS side, and created IAM role by using that Identity Provider, Also i have setup the trust relationship(attached)

Also below is the trust relationship i have setup-

While i was trying to use service connection( which was expected to use Identity federation but was using basic authentication), i tried to use AWSCLI@1 and while i was checking the logs it said it is able to assume the role but somehow it was not fetching the credentials and not propagating to next step in yaml pipeline. Then i tried to manually assume the role but again it started giving some other error. Atleast it was able to assume the role using AWSCLI@1 but not using manuall script.
Yadav, Anuj 0 Reputation points

2025-07-01T14:07:09.5966667+00:00
@Malthi Durga Reshma in above reply you mentioned "Currently AWS is not available in DevOps Service Connections UI." then what would be the workaround for this? I have my Identity provider in place, IAM role is properly configured, it has a proper inline policy also. And i am able to create the service connection and trying to use this sc in AWSCLI@1 task but the authentication type it is showing is "basic authentication". I have found somewhere on google that Microsoft has remove OIDC support in June2025, then what the alternative MS has given in place of this.

Durga Reshma Malthi 6,205 Microsoft External Staff Moderator

Hi Yadav, Anuj

Since the UI no longer supports OIDC for AWS, you can add a custom script step early in your pipeline:

- task: Bash@3
  displayName: "Assume AWS Role using OIDC"
  inputs:
    targetType: 'inline'
    script: |
      echo "Installing required tools..."
      curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
      unzip awscliv2.zip
      sudo ./aws/install
      sudo apt-get update && sudo apt-get install -y jq
      echo "Fetching Azure DevOps OIDC token..."
      OIDC_TOKEN=$(curl -sSL -H "Authorization: Bearer $(System.AccessToken)" "$(System.IdentityTokenURI)?resource=https://dev.azure.com/")
      echo "Assuming role with web identity..."
      CREDS=$(aws sts assume-role-with-web-identity \
        --role-arn "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \
        --role-session-name "ado-oidc-session" \
        --web-identity-token "$OIDC_TOKEN")
      export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r '.Credentials.AccessKeyId')
      export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r '.Credentials.SecretAccessKey')
      export AWS_SESSION_TOKEN=$(echo "$CREDS" | jq -r '.Credentials.SessionToken')
      echo "Exported AWS credentials."

For the AWS CLI and SDKs to work, credentials need to be available in the environment. So use the script above in the same job, and follow with steps like:

- script: |
    aws s3 ls
  displayName: "Run AWS command with assumed role"
  env:
    AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
    AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
    AWS_SESSION_TOKEN: $(AWS_SESSION_TOKEN)

Hope this helps!

Please Let me know if you have any queries.

Yadav, Anuj 0 Reputation points

2025-07-02T05:28:23.88+00:00

Hi @Malthi Durga Reshma - Thanks for your reply !

I have tried the above approach but the variable which is being used in manula assumption script- System.AccessToken gives the blank value. And even i tried creating Classic pipeline where i have option to enable "Allow scripts to access the OAuth token" but did not work.. i am in deadlock situation.
In Yaml when i get System.AccessToken value null then it suggests me to enable the option "Allow scripts to access the OAuth token" but i don't have option to enable this then somewhere i got to know that this option can be found in classic pipeline then i moved to classic and got this option but still not working.. i am stuck ..pls help..if you want i can share the code here-
Yadav, Anuj 0 Reputation points

2025-07-02T05:31:02.5233333+00:00

This is the yaml code i am using to assume role manually-
Yadav, Anuj 0 Reputation points

2025-07-02T05:44:02.3666667+00:00

i am using both approaches(classic as well as yaml) parallelly but not able to make it
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-02T08:32:28.8766667+00:00
Hi Yadav, Anuj

If your pipeline is running in a release pipeline (not a build pipeline), the OAuth token behaves differently. Classic release pipelines don’t always honor the System.AccessToken the same way YAML or classic build pipelines do.

In YAML File, you must explicitly map the token into the environment:

- script: echo "Token: $SYSTEM_ACCESSTOKEN" env: SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Then reference it as $SYSTEM_ACCESSTOKEN in your script—not $(System.AccessToken).

Hope this helps!

Please Let me know if you have any queries.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Yadav, Anuj 0 Reputation points

2025-07-02T08:48:53.71+00:00

This is log after Checking System.AccessToken

The very Next Step:

Durga Reshma Malthi 6,205 Microsoft External Staff Moderator

Hi Yadav, Anuj

Thanks for sharing the screenshots.

Ensure your project visibility must be private.

The error seems you're referencing System.IdentityTokenURI without proper syntax. In Bash, variables like that must be wrapped like ${System.IdentityTokenURI}but even then, they only work if passed explicitly into the environment block.

Could you please try this YAML File:

- task: Bash@3
  displayName: "Assume AWS Role via OIDC"
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
  inputs:
    targetType: 'inline'
    script: |
      echo "Requesting OIDC token from Azure DevOps..."
      OIDC_TOKEN=$(curl -s -H "Authorization: Bearer $SYSTEM_ACCESSTOKEN" \
        "$(System.TeamFoundationCollectionUri)_apis/distributedtask/hubs/build/plans/$(System.PlanId)/oidc/token?api-version=7.1-preview.1" | jq -r .value)
      if [ -z "$OIDC_TOKEN" ]; then
        echo "OIDC token is empty. Double-check token permissions and pipeline type."
        exit 1
      fi
      echo "Calling AWS STS to assume role..."
      CREDS=$(aws sts assume-role-with-web-identity \
        --role-arn "arn:aws:iam::<your-account-id>:role/<your-role-name>" \
        --role-session-name "ado-role-session-$(Build.BuildId)" \
        --web-identity-token "$OIDC_TOKEN")
      if [ -z "$CREDS" ]; then
        echo "Failed to assume role. Check if token is valid and trust relationship is configured correctly."
        exit 1
      fi
      export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
      export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
      export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')
      echo "Setting pipeline variables..."
      echo "##vso[task.setvariable variable=AWS_ACCESS_KEY_ID;issecret=true]$AWS_ACCESS_KEY_ID"
      echo "##vso[task.setvariable variable=AWS_SECRET_ACCESS_KEY;issecret=true]$AWS_SECRET_ACCESS_KEY"
      echo "##vso[task.setvariable variable=AWS_SESSION_TOKEN;issecret=true]$AWS_SESSION_TOKEN"

Alternatively, try this

Replace OIDC_TOKEN=$(curl -sSL -H "Authorization: Bearer $(System.AccessToken)" "$(System.IdentityTokenURI)?resource=https://dev.azure.com/")

with:

OIDC_TOKEN=$AZURE_DEVOPS_OIDC_TOKEN

and adjust in the yaml file as required:

env: 
    AZURE_DEVOPS_OIDC_TOKEN: $(AZURE_DEVOPS_OIDC_TOKEN)

Hope this helps!

Please Let me know if you have any queries.

Yadav, Anuj 0 Reputation points

2025-07-02T10:11:41.7233333+00:00
Yadav, Anuj 0 Reputation points

2025-07-02T10:23:01.83+00:00

Error getting-
Yadav, Anuj 0 Reputation points

2025-07-02T11:11:07.1366667+00:00

One quick Question: Why the Feature: Service connections-> AWS-> Workload Identity Federation (OIDC) is not enabled at my org or project level for AWS? I can see it is there for ARM .. has Microsoft disabled this feature or what is the reason?

How to get this enabled?
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-02T11:21:19.5933333+00:00

Hi Yadav, Anuj

Microsoft removed the AWS OIDC option from the Azure DevOps UI and service connection wizard.

The AWS Toolkit for Azure DevOps (v1.15+) still supports OIDC behind the scenes, but it requires manual configuration via pipeline tasks not through the service connection UI.

https://aws.amazon.com/blogs/modernizing-with-aws/how-to-federate-into-aws-from-azure-devops-using-openid-connect/

Hope this helps!

Please Let me know if you have any queries.
Yadav, Anuj 0 Reputation points

2025-07-02T11:23:55.4533333+00:00

i am stuck now..yaml code which you suggested is not working..no support from service connection side..no support on classic pipeline...where should i go now.. :( But Thank you so much for your support @Malthi Durga Reshma ..
Yadav, Anuj 0 Reputation points

2025-07-03T06:15:35.6033333+00:00

@Malthi Durga Reshma any further suggestions pls?

Durga Reshma Malthi 6,205 Microsoft External Staff Moderator

Hi Yadav, Anuj

Could you please check the private message and try the script which I mentioned.

Also make sure your AWS IAM Role has a trust policy like this:

{
  "Effect": "Allow",
  "Principal": {
    "Federated": "arn:aws:iam::<your-account-id>:oidc-provider/vsts.azure.com"
  },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringEquals": {
      "vsts.azure.com:sub": "org:<your-org-id>:project:<your-project-id>:pipeline:<pipeline-id>"
    }
  }
}

Alternatively, try the below yaml file as well:

- task: Bash@3
  displayName: "Assume AWS Role via OIDC"
  inputs:
    targetType: 'inline'
    script: |
      echo "Reading OIDC token from environment..."
      if [ -z "$AZURE_DEVOPS_OIDC_TOKEN" ]; then
        echo "OIDC token is empty. Make sure this pipeline is in a private project."
        exit 1
      fi
      echo "Calling AWS STS to assume role..."
      CREDS=$(aws sts assume-role-with-web-identity \
        --role-arn "arn:aws:iam::<your-account-id>:role/<your-role-name>" \
        --role-session-name "ado-role-session-$(Build.BuildId)" \
        --web-identity-token "$AZURE_DEVOPS_OIDC_TOKEN")
      export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r '.Credentials.AccessKeyId')
      export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r '.Credentials.SecretAccessKey')
      export AWS_SESSION_TOKEN=$(echo "$CREDS" | jq -r '.Credentials.SessionToken')
      echo "Setting pipeline variables..."
      echo "##vso[task.setvariable variable=AWS_ACCESS_KEY_ID;issecret=true]$AWS_ACCESS_KEY_ID"
      echo "##vso[task.setvariable variable=AWS_SECRET_ACCESS_KEY;issecret=true]$AWS_SECRET_ACCESS_KEY"
      echo "##vso[task.setvariable variable=AWS_SESSION_TOKEN;issecret=true]$AWS_SESSION_TOKEN"
  env:
    AZURE_DEVOPS_OIDC_TOKEN: $(AZURE_DEVOPS_OIDC_TOKEN)

If possible, could you please share the YAML File in private message

Hope this helps!

Please Let me know if you have any queries.

1 answer

Your answer

Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-01T11:52:34.39+00:00

Hi Yadav, Anuj

If you're using OIDC with IAM Role for authentication between Azure DevOps (ADO) and AWS, then your Azure DevOps service connection must be configured with Workload Identity Federation, not Basic Authentication.

Could you please follow the below steps:

In the AWS Console go to IAM -> Identity Providers -> Click "Add Provider" -> Choose OIDC -> Set Provider URL to: https://vstoken.dev.azure.com/{your-org-ID}, Audience: Set to: https://dev.azure.com/<your-org-name>

In AWS IAM, create a role:

Trusted entity type: Web Identity

Identity provider: Select the OIDC provider you just created.

Audience: https://dev.azure.com/<your-org-name>

Add a trust policy similar to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<account-id>:oidc-provider/vstoken.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "vstoken.actions.githubusercontent.com:sub": "repo:<org-name>/<project-name>:ref:refs/heads/<branch-name>" } } } ] }

Currently AWS is not available in DevOps Service Connections UI.

Use Terraform or custom script to inject the token during pipeline runtime.

Additional References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

Hope this helps!

Please Let me know if you have any queries.
Yadav, Anuj 0 Reputation points

2025-07-01T14:00:59.1666667+00:00

Hi Durga Reshma Malthi- Thanks for your reply.
I have setup the Identity provider on AWS side, and created IAM role by using that Identity Provider, Also i have setup the trust relationship(attached)

Also below is the trust relationship i have setup-

While i was trying to use service connection( which was expected to use Identity federation but was using basic authentication), i tried to use AWSCLI@1 and while i was checking the logs it said it is able to assume the role but somehow it was not fetching the credentials and not propagating to next step in yaml pipeline. Then i tried to manually assume the role but again it started giving some other error. Atleast it was able to assume the role using AWSCLI@1 but not using manuall script.
Yadav, Anuj 0 Reputation points

2025-07-01T14:07:09.5966667+00:00

@Malthi Durga Reshma in above reply you mentioned "Currently AWS is not available in DevOps Service Connections UI." then what would be the workaround for this? I have my Identity provider in place, IAM role is properly configured, it has a proper inline policy also. And i am able to create the service connection and trying to use this sc in AWSCLI@1 task but the authentication type it is showing is "basic authentication". I have found somewhere on google that Microsoft has remove OIDC support in June2025, then what the alternative MS has given in place of this.
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-01T15:58:33.67+00:00

Hi Yadav, Anuj

Since the UI no longer supports OIDC for AWS, you can add a custom script step early in your pipeline:

- task: Bash@3 displayName: "Assume AWS Role using OIDC" inputs: targetType: 'inline' script: | echo "Installing required tools..." curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install sudo apt-get update && sudo apt-get install -y jq echo "Fetching Azure DevOps OIDC token..." OIDC_TOKEN=$(curl -sSL -H "Authorization: Bearer $(System.AccessToken)" "$(System.IdentityTokenURI)?resource=https://dev.azure.com/") echo "Assuming role with web identity..." CREDS=$(aws sts assume-role-with-web-identity \ --role-arn "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \ --role-session-name "ado-oidc-session" \ --web-identity-token "$OIDC_TOKEN") export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(echo "$CREDS" | jq -r '.Credentials.SessionToken') echo "Exported AWS credentials."

For the AWS CLI and SDKs to work, credentials need to be available in the environment. So use the script above in the same job, and follow with steps like:

- script: | aws s3 ls displayName: "Run AWS command with assumed role" env: AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN: $(AWS_SESSION_TOKEN)

Hope this helps!

Please Let me know if you have any queries.
Yadav, Anuj 0 Reputation points

2025-07-02T05:28:23.88+00:00

Hi @Malthi Durga Reshma - Thanks for your reply !

I have tried the above approach but the variable which is being used in manula assumption script- System.AccessToken gives the blank value. And even i tried creating Classic pipeline where i have option to enable "Allow scripts to access the OAuth token" but did not work.. i am in deadlock situation.
In Yaml when i get System.AccessToken value null then it suggests me to enable the option "Allow scripts to access the OAuth token" but i don't have option to enable this then somewhere i got to know that this option can be found in classic pipeline then i moved to classic and got this option but still not working.. i am stuck ..pls help..if you want i can share the code here-
Yadav, Anuj 0 Reputation points

2025-07-02T05:31:02.5233333+00:00

This is the yaml code i am using to assume role manually-
Yadav, Anuj 0 Reputation points

2025-07-02T05:44:02.3666667+00:00

i am using both approaches(classic as well as yaml) parallelly but not able to make it
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-02T08:32:28.8766667+00:00

Hi Yadav, Anuj

If your pipeline is running in a release pipeline (not a build pipeline), the OAuth token behaves differently. Classic release pipelines don’t always honor the System.AccessToken the same way YAML or classic build pipelines do.

In YAML File, you must explicitly map the token into the environment:

- script: echo "Token: $SYSTEM_ACCESSTOKEN" env: SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Then reference it as $SYSTEM_ACCESSTOKEN in your script—not $(System.AccessToken).

Hope this helps!

Please Let me know if you have any queries.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Yadav, Anuj 0 Reputation points

2025-07-02T08:48:53.71+00:00

This is log after Checking System.AccessToken

The very Next Step:
Yadav, Anuj 0 Reputation points

2025-07-02T10:11:41.7233333+00:00
Yadav, Anuj 0 Reputation points

2025-07-02T10:23:01.83+00:00

Error getting-
Yadav, Anuj 0 Reputation points

2025-07-02T11:11:07.1366667+00:00

One quick Question: Why the Feature: Service connections-> AWS-> Workload Identity Federation (OIDC) is not enabled at my org or project level for AWS? I can see it is there for ARM .. has Microsoft disabled this feature or what is the reason?

How to get this enabled?
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-02T11:21:19.5933333+00:00

Hi Yadav, Anuj

Microsoft removed the AWS OIDC option from the Azure DevOps UI and service connection wizard.

The AWS Toolkit for Azure DevOps (v1.15+) still supports OIDC behind the scenes, but it requires manual configuration via pipeline tasks not through the service connection UI.

https://aws.amazon.com/blogs/modernizing-with-aws/how-to-federate-into-aws-from-azure-devops-using-openid-connect/

Hope this helps!

Please Let me know if you have any queries.
Yadav, Anuj 0 Reputation points

2025-07-02T11:23:55.4533333+00:00

i am stuck now..yaml code which you suggested is not working..no support from service connection side..no support on classic pipeline...where should i go now.. :( But Thank you so much for your support @Malthi Durga Reshma ..
Yadav, Anuj 0 Reputation points

2025-07-03T06:15:35.6033333+00:00

@Malthi Durga Reshma any further suggestions pls?
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-03T07:55:45.7833333+00:00

Hi Yadav, Anuj

Could you please check the private message and try the script which I mentioned.

Also make sure your AWS IAM Role has a trust policy like this:

{ "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<your-account-id>:oidc-provider/vsts.azure.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "vsts.azure.com:sub": "org:<your-org-id>:project:<your-project-id>:pipeline:<pipeline-id>" } } }

Alternatively, try the below yaml file as well:

- task: Bash@3 displayName: "Assume AWS Role via OIDC" inputs: targetType: 'inline' script: | echo "Reading OIDC token from environment..." if [ -z "$AZURE_DEVOPS_OIDC_TOKEN" ]; then echo "OIDC token is empty. Make sure this pipeline is in a private project." exit 1 fi echo "Calling AWS STS to assume role..." CREDS=$(aws sts assume-role-with-web-identity \ --role-arn "arn:aws:iam::<your-account-id>:role/<your-role-name>" \ --role-session-name "ado-role-session-$(Build.BuildId)" \ --web-identity-token "$AZURE_DEVOPS_OIDC_TOKEN") export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(echo "$CREDS" | jq -r '.Credentials.SessionToken') echo "Setting pipeline variables..." echo "##vso[task.setvariable variable=AWS_ACCESS_KEY_ID;issecret=true]$AWS_ACCESS_KEY_ID" echo "##vso[task.setvariable variable=AWS_SECRET_ACCESS_KEY;issecret=true]$AWS_SECRET_ACCESS_KEY" echo "##vso[task.setvariable variable=AWS_SESSION_TOKEN;issecret=true]$AWS_SESSION_TOKEN" env: AZURE_DEVOPS_OIDC_TOKEN: $(AZURE_DEVOPS_OIDC_TOKEN)

If possible, could you please share the YAML File in private message

Hope this helps!

Please Let me know if you have any queries.

Answer 1

Yadav, Anuj 0

Sent the yaml as well, trust relationship policy which i have setup at aws end

Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-07T08:49:13.05+00:00

Hi Yadav, Anuj

If you are still facing the issue, please raise support ticket in Azure Portal or you can report problem in developer community - https://developercommunity.visualstudio.com/AzureDevOps

Share via

Azure CD Pipeline connectivity with AWS using IAM Role and OIDC is not working

1 answer

Your answer