Getting Started - AWS Toolkit for Microsoft Azure DevOps

Getting Started

This section provides information about how to install, set up, and use the AWS Toolkit for Microsoft Azure DevOps.

Set up an Azure DevOps Account

To use Azure DevOps, you will first need to sign up for an Azure DevOps Account.

Install the AWS Toolkit for Azure DevOps Extension

Go to the relevant Visual Studio Marketplace and search for AWS Toolkit for Microsoft Azure DevOps. (The following URL is a direct link to the AWS Toolkit for Azure DevOps:

Choose Get it free and sign in to your Azure DevOps account if prompted. Then choose Install to install into your Azure DevOps account, or choose Download to install into an on-premises server.

            Download AWS Toolkit for Azure DevOps

Establish AWS Credentials for the AWS Toolkit for Azure DevOps

To use the AWS Toolkit for Azure DevOps to access AWS, you need an AWS account and AWS credentials. When build agents run the tasks contained in the tools, the tasks must be configured with, or have access to, those AWS credentials to enable them to call AWS service APIs. To increase the security of your AWS account, we recommend that you do not use your root account credentials, but rather create an IAM user to provide access credentials to the tasks running in the build agent processes.


For an overview of IAM users and why they are important for the security of your account, see Overview of Identity Management: Users in the IAM User Guide.

Sign Up for an AWS Account

  1. Open, and then choose Create an AWS Account.

  2. Follow the onscreen instructions. Part of the signup procedure involves receiving a phone call and entering a PIN using your phone keypad.

Create an IAM User and Download Its Credentials

Next, create an IAM user and download (or copy) its credentials. To use the AWS Toolkit for Azure DevOps, you must have a set of valid AWS credentials, which consist of an access key and a secret key. These keys are used to sign programmatic web service requests and enable AWS to verify that the request comes from an authorized source. You can obtain a set of account credentials when you create your account. However, we recommend that you do not use these credentials with AWS Toolkit for Azure DevOps. Instead, create one or more IAM users, and use those credentials.

  1. Open the IAM console (you may need to sign in to AWS first).

  2. Choose Users in the sidebar to view your IAM users.

  3. If you don't have any IAM users set up, choose Create New Users to create one.

  4. Select the IAM user in the list that you want to use to access AWS.

  5. Open the Security Credentials tab, and then choose Create Access Key.


    You can have a maximum of two active access keys for any given IAM user. If your IAM user has two access keys already, you need to delete one of them before creating a new key.

  6. In the Create access key dialog box that opens, choose Download .csv file to download the credential file to your computer. Or choose the Show link in the Secret access key column to view the IAM user's secret access key, and then copy the access key ID and the secret access key.


    There is no way to obtain the secret access key once you close the dialog box. You can, however, delete its associated access key ID and create a new one.

Supplying Task Credentials (Overview)

Once an AWS account has been created, and preferably an IAM user for that account as detailed above, you can supply credentials to the tasks in a number of ways:

  • By configuring a service endpoint of type AWS and referencing that endpoint when configuring tasks.

  • By creating specific named variables in your build. The variable names for supplying credentials are AWS.AccessKeyID, AWS.SecretAccessKey and optionally AWS.SessionToken. To pass the region in which the AWS service API calls should be made you can also specify AWS.Region with the region code (for example, us-west-2) of the region.

  • By using standard AWS environment variables in the build agent process. These variables are AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and optionally AWS_SESSION_TOKEN. To pass the region in which the AWS service API calls should be made you can also specify AWS_REGION with the region code (for example, us-west-2) of the region.

  • For build agents running on Amazon EC2 instances the tasks can automatically obtain credential and region information from instance metadata associated with the EC2 instance. For credentials to be available from EC2 instance metadata the instance must have been started with an instance profile referencing a role granting permissions to the task to make calls to AWS on your behalf. See IAMRolesForEC2 for more information.

Supplying Task Credentials using a Service Endpoint

If you choose to use service endpoints of type AWS to convey credentials to the AWS tasks in the tools, you can create a link to your AWS subscription by using the Service connections section of the Project settings for your project. Note that a service endpoint expects long-lived AWS credentials consisting of an access-key and secret-key pair. Alternatively you can define Assume Role credentials. Service endpoints do not support the use of a session token variable. To use these forms of temporary AWS credentials, use the build or environment variable approaches as defined earlier, or run your build agents on Amazon EC2 instances.

To create a link to the AWS subscription for use in Build or Release Management definitions:

  1. Find the gear icon for your project, either in the lower, left-hand corner of the window or by hovering over the project's name.

  2. Choose the icon to open the Project settings for your project.

  3. Choose Service connections.

  4. Under + New service connection, select the AWS endpoint type. This opens the Add AWS service connection form.

                  Create an AWS endpoint
  5. Provide the following parameters, and then click OK:

    • Connection name

    • Access key ID

    • Secret access key

    The connection name is used to refer to these credentials when you are configuring tasks that access this set of AWS credentials in your build and release definitions.

For more information, see About Access Keys in the IAM User Guide.