1. On https://dev.azure.com/<Organization name>, for example https://dev.azure.com/SAS-Engineer, select Organization settings

    oidc_guide_1.png

  2. Download Azure DevOps organizations

    oidc_guide_2.png

  3. In the downloaded CSV file, find your organization ID

    oidc_guide_3.png

    Now the OIDC provider is vstoken.dev.azure.com/<organization ID>, for example, vstoken.dev.azure.com/61c028b9-510c-4f84-bfb2-f48d33b6b542.

    The Audiences hard-coded value = api://AzureADTokenExchange

  4. Now navigate to the AWS IAM website, create a new identity provider with well-known values.

    oidc_guide_4.png

    The result is the same as below

    image.png

  5. Don’t forget to update the role that you need to assume via OIDC (for example, LabCICDApplicationRole and LabCICDInfraRole) trust policy. Add the statement below

            {
            "Sid": "AllowTeamAzureDevOps",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::917566871600:oidc-provider/vstoken.dev.azure.com/61c028b9-510c-4f84-bfb2-f48d33b6b542"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "vstoken.dev.azure.com/61c028b9-510c-4f84-bfb2-f48d33b6b542:aud": "api://AzureADTokenExchange"
                }
            }
        }

That’s it.