Pass a role ARN in runtime and use with service connection

[kai2nenobu]

Is your feature request related to a problem? Please describe.

Assume that I have an IAM user for Azure DevOps and the IAM user can switch two roles in a dev account and a production account. I want to use one service connection for the IAM user and pass a role ARN in build runtime.

However AWSShellScript@1 task (and other tasks) don't accept a role ARN as input paramter. Now, I manually AssumeRole in AWSShellScript@1 task and set variables like AWS.AccessKeyID as below.

jobs:
  - job: job_in_dev
    variables:
      AWS.Region: ap-northeast-1
      roleArn: arn:aws:iam::123456789012:role/azure-devops-DevRole
      sessionName: $(Build.BuildId)
    steps:
      - task: AWSShellScript@1
        displayName: AssumeRole
        inputs:
          awsCredentials: aws-sample-connection
          scriptType: inline
          inlineScript: |
            aws sts assume-role --role-arn $(roleArn) --role-session-name $(sessionName) \
              --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' --out text \
              | while read -r v1 v2 v3; do
                  echo "##vso[task.setvariable variable=AWS.AccessKeyID;issecret=true]$v1"
                  echo "##vso[task.setvariable variable=AWS.SecretAccessKey;issecret=true]$v2"
                  echo "##vso[task.setvariable variable=AWS.SessionToken;issecret=true]$v3"
              done
      - task: AWSShellScript@1
        displayName: Do the job in dev account
        inputs:
          scriptType: inline
          inlineScript: aws ec2 describe-instances

This method works but the first step is too redundant.

Describe the solution you'd like

I suggest to add a task to AssumeRole (ex: AWSAssumeRole@0). If AWSAssumeRole@0 accept a service connection (awsCredentials) and a role ARN, the above yaml is simplified.

jobs:
  - job: job_in_dev
    variables:
      AWS.Region: ap-northeast-1
    steps:
      - task: AWSAssumeRole@0
        inputs:
          awsCredentials: aws-sample-connection
          assumeRoleArn: arn:aws:iam::123456789012:role/azure-devops-DevRole
          roleSessionName: $(Build.BuildId)
          externalId: xxx
      # subsequent steps can use a shot-live credential genereated by AssumeRole
      - task: AWSShellScript@1
        displayName: Do the job in dev account
        inputs:
          scriptType: inline
          inlineScript: aws ec2 describe-instances

Describe alternatives you've considered

An alternative solution is a method to pass a role ARN as build variable. If AWSShellScript@1 (and other tasks) read a role ARN from build variable like AWS.AssumeRoleArn, the above yaml is simplified.

jobs:
  - job: job_in_dev
    variables:
      AWS.Region: ap-northeast-1
      AWS.AssumeRoleArn: arn:aws:iam::123456789012:role/azure-devops-DevRole
      AWS.RoleSessionName: $(Build.BuildId)
      AWS.ExternalId: xxx
    steps:
      - task: AWSShellScript@1
        displayName: Do the job in dev account
        inputs:
          awsCredentials: aws-sample-connection
          scriptType: inline
          inlineScript: aws ec2 describe-instances

This solution is already suggested by @FaridNeshat-TomTom in https://github.com/aws/aws-toolkit-azure-devops/issues/340#issuecomment-805734538.

[drpdishant]

How to use similar mechanism to push to ECR?