Set up credentials
The AWS Deploy Tool for .NET internally uses a variety of different tools and services to host your .NET application on AWS. To run the AWS Deploy Tool, you must configure a credential profile that provides access to the AWS account you wish to deploy to. Your credentials must have permissions for certain services, depending on the tasks that you're trying to perform.
The AWS Deploy Tool for .NET uses AWS Cloud Development Kit (CDK) to create the AWS infrastructure needed to deploy your application. Deploying via AWS CDK will assume roles that were created when bootstrapping CDK for the account and region you are deploying into. Ensure that the profile you are deploying with has permission to assume the CDK deployment roles. This can be done with a policy such as:
In addition to permission to assume the CDK deployment roles, the following are examples of using AWS managed policies to provide additional permissions that are required for different commands.
Note: Additional permissions might be required, depending on the type of application you're deploying and the services it uses.
|Recommended AWS Managed Policies
|Deploying to Amazon ECS
|AWSCloudFormationFullAccess, AmazonECS_FullAccess, AmazonEC2ContainerRegistryFullAccess, AmazonSSMFullAccess, IAMFullAccess
|Deploying to AWS App Runner
|AWSCloudFormationFullAccess, AWSAppRunnerFullAccess, AmazonEC2ContainerRegistryFullAccess, AmazonSSMFullAccess, IAMFullAccess
|Deploying to AWS Elastic Beanstalk
|AWSCloudFormationFullAccess, AdministratorAccess-AWSElasticBeanstalk, AmazonSSMFullAccess, AmazonS3FullAccess (required to upload the application bundle), IAMFullAccess
|Hosting WebAssembly Blazor App in Amazon S3 & Amazon CloudFront
|AmazonS3FullAccess, CloudFrontFullAccess, IAMFullAccess, AmazonSSMFullAccess, AWSLambda_FullAccess (required to copy from CDKBootstrap bucket to S3 bucket)
|List AWS CloudFormation stacks
|Delete an AWS CloudFormation stack
|AWSCloudFormationFullAccess + permissions for resources being deleted
Note: If you are creating IAM roles, you need IAMFullAccess otherwise IAMReadOnlyAccess. Note that the first time the CDK bootstrap stack is created it will need IAMFullAccess.
Note: If you encounter an error saying
user is not authorized to perform action because no identity based policies allow it, that means you need to add the corresponding permission to the IAM policy that is used by the current IAM role/user. The exact wording for an insufficient permissions related errors may differ.
Specifying profile and region
In your shared AWS config and credentials files, if the
[default] profile exists, the deployment tool uses that profile by default. You can change this behavior by specifying a profile for the tool to use, either system-wide or in a particular context.
- The simplest way to specify region and profile is to provide them as parameters to the tool.
dotnet aws deploy --profile customProfile --region us-west-2
For additional information about command parameters, see Commands section.
Note If you provide only the
--profileargument, the AWS Region isn't read from the profile that you specify. Instead, the tool reads the Region from the
[default]profile if one exists, or asks for the desired profile interactively.
To specify a system-wide profile and region, define the
AWS_REGION environment variables globally, as appropriate for your operating system. Be sure to reopen command prompts or terminals as necessary.
Warning If you set the
AWS_PROFILEenvironment variable globally for your system, other SDKs, CLIs, and tools will also use that profile. If this behavior is unacceptable, specify a profile for a particular context instead.
- For information on AWS credentials and access management, see Credentials and Access
- For information on configuration file settings, see Config and Auth Settings Reference
- For information on how to create customer managed IAM policies, see Tutorial on Managed Policies
- For information on how to troubleshoot IAM policies, see AWS IAM User Guide
- For information on AWS Single Sign On (AWS SSO), visit the .NET SDK Reference Guide.
- For information on how to provide AWS credentials in AWS Toolkit for Visual Studio, see AWS Toolkit for Visual Studio User Guide.