Skip to content

Set up credentials

The AWS Deploy Tool for .NET internally uses a variety of different tools and services to host your .NET application on AWS. To run the AWS Deploy Tool, you must configure a credential profile that provides access to the AWS account you wish to deploy to. Your credentials must have permissions for certain services, depending on the tasks that you're trying to perform.

The AWS Deploy Tool for .NET uses AWS Cloud Development Kit (CDK) to create the AWS infrastructure needed to deploy your application. Deploying via AWS CDK will assume roles that were created when bootstrapping CDK for the account and region you are deploying into. Ensure that the profile you are deploying with has permission to assume the CDK deployment roles. This can be done with a policy such as:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

In addition to permission to assume the CDK deployment roles, the following are examples of using AWS managed policies to provide additional permissions that are required for different commands.

Note: Additional permissions might be required, depending on the type of application you're deploying and the services it uses.

Command Task Recommended AWS Managed Policies
deploy Deploying to Amazon ECS AWSCloudFormationFullAccess, AmazonECS_FullAccess, AmazonEC2ContainerRegistryFullAccess, AmazonSSMFullAccess, IAMFullAccess
deploy Deploying to AWS App Runner AWSCloudFormationFullAccess, AWSAppRunnerFullAccess, AmazonEC2ContainerRegistryFullAccess, AmazonSSMFullAccess, IAMFullAccess
deploy Deploying to AWS Elastic Beanstalk AWSCloudFormationFullAccess, AdministratorAccess-AWSElasticBeanstalk, AmazonSSMFullAccess, AmazonS3FullAccess (required to upload the application bundle), IAMFullAccess
deploy Hosting WebAssembly Blazor App in Amazon S3 & Amazon CloudFront AmazonS3FullAccess, CloudFrontFullAccess, IAMFullAccess, AmazonSSMFullAccess, AWSLambda_FullAccess (required to copy from CDKBootstrap bucket to S3 bucket)
list-deployments List AWS CloudFormation stacks AWSCloudFormationReadOnlyAccess
delete-deployment Delete an AWS CloudFormation stack AWSCloudFormationFullAccess + permissions for resources being deleted

Note: If you are creating IAM roles, you need IAMFullAccess otherwise IAMReadOnlyAccess. Note that the first time the CDK bootstrap stack is created it will need IAMFullAccess.

Note: If you encounter an error saying user is not authorized to perform action because no identity based policies allow it, that means you need to add the corresponding permission to the IAM policy that is used by the current IAM role/user. The exact wording for an insufficient permissions related errors may differ.

Specifying profile and region

In your shared AWS config and credentials files, if the [default] profile exists, the deployment tool uses that profile by default. You can change this behavior by specifying a profile for the tool to use, either system-wide or in a particular context.

... locally

  • The simplest way to specify region and profile is to provide them as parameters to the tool.
dotnet aws deploy --profile customProfile --region us-west-2

For additional information about command parameters, see Commands section.

Note If you provide only the --profile argument, the AWS Region isn't read from the profile that you specify. Instead, the tool reads the Region from the [default] profile if one exists, or asks for the desired profile interactively.

... system-wide

To specify a system-wide profile and region, define the AWS_PROFILE and AWS_REGION environment variables globally, as appropriate for your operating system. Be sure to reopen command prompts or terminals as necessary.

Warning If you set the AWS_PROFILE environment variable globally for your system, other SDKs, CLIs, and tools will also use that profile. If this behavior is unacceptable, specify a profile for a particular context instead.

Additional Resources