AWS Tools for Microsoft Visual Studio Team Services
User Guide

Getting Started

This section provides information about how to install, set up, and use the AWS Tools for Microsoft Visual Studio Team Services.

Set up a VSTS Account

To use Visual Studio Team Services (VSTS), you need to sign up for a Visual Studio Team Services Account.

Install the AWS Tools for VSTS Extension

The AWS Tools for VSTS is installed from the Visual Studio Marketplace. Sign in to your VSTS account, then search for AWS Tools for Microsoft Visual Studio Team Services. Choose Install to download to VSTS, or choose Download to install into an on-premises Team Foundation Server.

            Download Team Services Extension

Set up AWS Credentials for the AWS Tools for VSTS

To use the AWS Tools for VSTS to access AWS, you need an AWS account and AWS credentials. To increase the security of your AWS account, we recommend that you use an IAM user to provide access credentials instead of using your root account credentials.


For an overview of IAM users and why they are important for the security of your account, see Overview of Identity Management: Users in the IAM User Guide.

To sign up for an AWS account

  1. Open, and then choose Sign Up.

  2. Follow the onscreen instructions. Part of the signup procedure involves receiving a phone call and entering a PIN using your phone keypad.

Next, create an IAM user and download (or copy) its secret access key. To use the AWS Tools for VSTS, you must have a set of valid AWS credentials, which consist of an access key and a secret key. These keys are used to sign programmatic web service requests and enable AWS to verify that the request comes from an authorized source. You can obtain a set of account credentials when you create your account. However, we recommend that you do not use these credentials with AWS Tools for VSTS. Instead, create one or more IAM users, and use those credentials.

To create an IAM user

  1. Open the IAM console (you may need to sign in to AWS first).

  2. Choose Users in the sidebar to view your IAM users.

  3. If you don't have any IAM users set up, choose Create New Users to create one.

  4. Select the IAM user in the list that you want to use to access AWS.

  5. Open the Security Credentials tab, and then choose Create Access Key.


    You can have a maximum of two active access keys for any given IAM user. If your IAM user has two access keys already, you need to delete one of them before creating a new key.

  6. In the dialog box that opens, choose Download Credentials to download the credential file to your computer. Or choose Show User Security Credentials to view the IAM user's access key ID and secret access key (which you can copy and paste).


    There is no way to obtain the secret access key once you close the dialog box. You can, however, delete its associated access key ID and create a new one.

Create an AWS Connection

To use the tasks contained in the tools, you must link an AWS subscription to VSTS or Team Foundation Server. Each VSTS/TFS project is associated with its own set of credentials. The credentials are used by the VSTS/TFS build agents when running builds and/or releases for a project containing tasks from the AWS tools.

You can link your subscription from the Services tab in the Account Administration section. Add the AWS subscription to use in the Build or Release Management definition by opening the Account Administration page (choose the gear icon on the top right of the page), and then choose Services. Choose + New Service Endpoint. Select the AWS endpoint type. This opens the Add new AWS Connection form.

            Create an AWS endpoint

Provide the following parameters, and then click OK:

  • Connection name

  • Access key ID

  • Secret access key

The connection name is used to refer to these credentials when you are configuring tasks that access AWS in your build and release definitions.

The credentials associated with the project are used by VSTS or TFS build agents that execute the AWS tasks you configure in your build and/or release pipelines. You can associate a single set of credentials to be used in all AWS tasks in a project or you can associate multiple sets of credentials. Project team members reference the associated credentials when configuring tasks for a project's build and/or release definitions.


We strongly suggest you use access and secret keys generated for an Identity and Access Management (IAM) user account. You can configure an IAM user account with permissions granting access to only the services and resources required to support the tasks you intend to use in your build and release definitions. For more information, see Best Practices for Managing AWS Access Keys.

Tasks can also use assumed role credentials by adding the Amazon Resource name (ARN) of the role to be assumed and an optional identifier when configuring the endpoint. The access and secret keys specified will then be used to generate temporary credentials for the tasks when they are executed by the build agents. Temporary credentials are valid for up to 15 minutes by default. To enable a longer validity period you can set the 'aws.rolecredential.maxduration' variable on your build or release definition, specifying a validity period in seconds between 15 minutes (900 seconds) and one hour (3600 seconds).

For more information, see About Access Keys.