Authentication mechanism in AWS Identity and Access Management Roles Anywhere

To provide credentials, AWS Identity and Access Management Roles Anywhere uses the CreateSession API. The API authenticates requests with a signature using keys associated with the X.509 certificate, which was used for authentication. The API method of IAM Roles Anywhere, CreateSession acts like AssumeRole - exchanging the signature for a standard SigV4-compatible session credential.

To successfully authenticate, the following constraints must be satisfied:

The signature attached to the request MUST be validated against the signing certificate (also attached to the request).
The signing certificate MUST have a valid trust chain to a Certificate Authority (CA) certificate configured in the customer account.
The target role for which credentials are issued MUST have an AssumeRolePolicyDocument that allows IAM Roles Anywhere service principal, rolesanywhere.amazonaws.com , to call sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity. For more information, see Granting permissions to pass a role to a service in the IAM User Guide.
The target role for which credentials are issued MAY have additional Condition predicates in the AssumeRolePolicyDocument that restrict authorization based on attributes extracted from the X.509 Certificate (for example, Subject or Issuer).

The signature uses the same canonicalization mechanism as Signature V4 (SigV4), with the following changes and additions:

The private key used to sign the request MUST be bound to an X.509 Certificate.
The signing certificate MUST be a v3 certificate.
The signing certificate MUST be attached to the request via the header X-Amz-X509, as Base64-encoded Distinguished Encoding Rules (DER) data.
The relevant headers - X-Amz-X509 and X-Amz-X509-Chain (if applicable) MUST be included in the signed headers field of the Authorization header.
The X-Amz-X509-Chain header MUST be encoded as comma-delimited, base64-encoded DER.
The X-Amx-X509-Chain header MUST NOT exceed the maximum depth of 5 certificates.
The signing certificate's serial number MUST be included in the Credential portion of the Scope field of the Authorization header.

RSA and EC keys are supported; RSA keys are used with the RSA PKCS# v1.5 signing algorithm. EC keys are used with the ECDSA.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating a trust anchor and profile

Signing process