DEV Community

Learn2Skills for AWS Community Builders

Posted on • Edited on

AWS Identity and Access Management Roles Anywhere

You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS.

To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere. You can also use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a CA and then use that to establish trust with IAM Roles Anywhere.

Your application makes an authentication request to IAM Roles Anywhere, sending along its public key (encoded in a certificate) and a signature signed by the corresponding private key. Your application also specifies the role to assume in the request. When IAM Roles Anywhere receives the request, it first validates the signature with the public key, then it validates that the certificate was issued by a trust anchor previously configured in the account. For more details, see the signature validation documentation.

IAM Roles Anywhere concepts

Trust anchors
You establish trust between IAM Roles Anywhere and your certificate authority (CA) by creating a trust anchor. A trust anchor is either a reference to ACM PCA or another CA certificate. Your workloads outside of AWS authenticate with the trust anchor using certificates issued by the trusted CA in exchange for temporary AWS credentials. For more information, see IAM Roles Anywhere trust model.

Roles
An IAM role is an IAM identity that you can create in your account that has specific permissions. A role is intended to be assumable by anyone who needs it. For IAM Roles Anywhere to be able to assume a role and deliver temporary AWS credentials, the role must trust the IAM Roles Anywhere service principal. For more information, see Role trusts.

Profiles
To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define permissions with IAM managed policies to limit the permissions for a created session.

IAM Roles Anywhere use cases
You can use IAM Roles Anywhere for any workload running in your data center, or in other cloud providers, that requires credentials to access AWS APIs. Here are some of the use cases we think will be interesting to customers based on the conversations and patterns we have seen:

Example scenario To demonstrate how IAM Roles Anywhere

Step 1: Establish trust
The first step of using IAM Roles Anywhere is creating a trust anchor, which requires you to reference a certificate authority (CA) that IAM Roles Anywhere will use to validate your authentication requests. You can use either a ACM PCA resource in your account or upload your own CA certificate.

To set up a certificate authority (CA)

  • Do one of the following:

  • To use a ACM PCA resource, open the ACM PCA console. Follow the instructions in the ACM PCA User Guide.

  • To use another CA, follow the instructions provided by the CA. You provide the certificate body in a later step.

To create a trust anchor

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a trust anchor.

  3. In Trust anchor name, enter a name for the trust anchor.

  4. For Certificate authority (CA) source, do one of the following:

To use an ACM PCA resource, choose ACM Private CA. In the ACM Private CA table, choose the ACM PCA resource.

To use another CA, choose External certificate bundle. In External certificate bundle, paste your CA certificate body. The certificate must be in Privacy Enhanced Mail (PEM) format.

  1. (Optional) Add metadata to the trust anchor by attaching tags as key-value pairs. For more information, see Tagging AWS resources.

  2. Choose Create a trust anchor.

Image description

Step 2: Configure roles
Before you can create an IAM Roles Anywhere profile, you need at least one IAM role that trusts the IAM Roles Anywhere service principal. Then you can create a profile that lists the roles IAM Roles Anywhere assumes. In a profile, you can also limit the permissions for a created session with IAM managed policies.

To configure a role to trust IAM Roles Anywhere

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. On the IAM roles page, choose the role you want to use.

  3. On the Trust relationships tab, choose Edit trust policy.

  4. Update the trust policy to include rolesanywhere.amazonaws.com as shown below.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"rolesanywhere.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetSourceIdentity"
]
}
]
}

To create a profile

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a profile.

  3. In Profile name, enter a name for the profile.

  4. Under Role, choose the role you updated the trust policy for.

  5. (Optional) Configure session policies by choosing up to 10 managed policies or write an inline policy.

Session policies limit the permissions for a created session, but do not grant permissions. For more information, see Session policies.

  1. (Optional) Add metadata to the profile by attaching tags as key–value pairs. For more information, see Tagging AWS resources.

  2. Choose Create a profile.

Use roles anywhere

  1. Authenticate from your environment Your non AWS workloads authenticate via a certificate trusted by your trust anchor and obtain temporary credentials from a role. See the IAM Roles Anywhere documentation

To test the functionality first, run the credential helper tool (aws_signing_helper) manually from the on-premises server, as follows.

./aws_signing_helper credential-process \
--certificate /path/to/certificate.pem \
--private-key /path/to/private-key.pem \
--trust-anchor-arn <TA_ARN> \
--profile-arn <PROFILE_ARN> \
--role-arn <ExampleS3WriteRole_ARN>

You should successfully receive session credentials from IAM Roles Anywhere.

More details

Top comments (0)