Securing Azure DevOps and AWS Integration with OIDC

Azure DevOps AWS Security OIDC DevOps

Traditional approaches to connecting Azure DevOps with AWS relied on long-lived access keys stored in service connections. This poses significant security risks. OIDC (OpenID Connect) federation provides a modern, secure alternative.

Why OIDC?

OIDC federation offers several advantages over access keys:

  • No long-lived credentials: Temporary tokens are issued on-demand
  • Automatic rotation: Tokens expire automatically
  • Fine-grained permissions: Use IAM roles with specific permissions
  • Audit trail: Better tracking of who accessed what and when

How OIDC Works

  1. Azure DevOps pipeline requests a token
  2. Azure AD issues a web identity token
  3. Pipeline presents token to AWS STS
  4. AWS STS validates and returns temporary credentials
  5. Pipeline uses temporary credentials to interact with AWS

Implementation Steps

1. Configure the OIDC Provider in AWS

First, create an OIDC identity provider in your AWS account:

resource "aws_iam_openid_connect_provider" "azure_devops" {
  url             = "https://vstoken.dev.azure.com/<organization-id>"
  client_id_list  = ["api://AzureADTokenExchange"]
  thumbprint_list = [data.tls_certificate.azure_devops.certificates[0].sha1_fingerprint]
}

2. Create an IAM Role

Create a role that trusts the OIDC provider:

resource "aws_iam_role" "pipeline_role" {
  name = "azure-devops-pipeline-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Federated = aws_iam_openid_connect_provider.azure_devops.arn
        }
        Action = "sts:AssumeRoleWithWebIdentity"
        Condition = {
          StringEquals = {
            "vstoken.dev.azure.com/<org-id>:sub": "sc://<org>/<project>/<service-connection-name>"
          }
        }
      }
    ]
  })
}

3. Configure Azure DevOps Service Connection

Create a service connection in Azure DevOps:

  1. Go to Project Settings > Service Connections
  2. Select AWS
  3. Choose “OpenID Connect”
  4. Enter your role ARN
  5. Test and save

Security Best Practices

  • Restrict subject claims: Use specific conditions in IAM trust policies
  • Minimal permissions: Grant only required permissions to the role
  • Separate roles per environment: Use different roles for dev, staging, and prod
  • Monitor usage: Enable CloudTrail logging for audit purposes

Conclusion

OIDC federation significantly improves the security posture of your AWS and Azure DevOps integration. It eliminates the need for long-lived credentials while providing better auditability and control.

The initial setup requires some effort, but the security benefits are well worth it.

← Back to all posts