Obtaining temporary security credentials from AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere

Obtaining temporary security credentials from AWS Identity and Access Management Roles Anywhere

To obtain temporary security credentials from AWS Identity and Access Management Roles Anywhere, use the credential helper tool that IAM Roles Anywhere provides. This tool is compatible with the credential_process feature available across the language SDKs. The helper manages the process of creating a signature with the certificate and calling the endpoint to obtain session credentials; it returns the credentials to the calling process in a standard JSON format. See Temporary security credentials in IAM for more information on session credentials.

To download the credential helper tool, use the following links.

Platform Download URL SHA256 checksum

Linux

https://rolesanywhere.amazonaws.com/releases/1.0.2/X86_64/Linux/aws_signing_helper

b0be71a1f7ac163944297a4ab8e22dcd24ae02b9a58b20f96bc18ad9ba02a9de

Windows

https://rolesanywhere.amazonaws.com/releases/1.0.2/X86_64/Windows/aws_signing_helper.exe

75cbca53abb3fe29fede307ed1824b0dd67ab6e0196aa7ea9741d45e2158dc3a

Darwin

https://rolesanywhere.amazonaws.com/releases/1.0.2/X86_64/Darwin/aws_signing_helper

c9b04036e7ad80f864d22bafddf74455261c7c8b97002bac1e628b5e88d829ba

Before you can obtain temporary credentials, you must have both an end-entity certificate from the certificate authority and a trust anchor in IAM Roles Anywhere. For more information, see Creating a trust anchor and profile.

Synopsis

./aws_signing_helper credential-process \ --certificate [--endpoint] [--region] [--intermediates] --private-key --profile-arn --role-arn [--session-duration] --trust-anchor-arn [--with-proxy] [--no-verify-ssl]

Options

--certificate (string)

Path to certificate file

--endpoint (string)

The IAM Roles Anywhere endpoint for the region. For a list of endpoints, see Service endpoints and quotas.

--region (string)

Signing region.

--intermediates (string)

Path to intermediate certificate bundle.

--private-key (string)

Path to private key file.

--profile-arn (string)

Profile to pull policies from.

--role-arn (string)

Target role to assume.

--session-duration (int)

Duration, in seconds, for the resulting session (default 3600).

--trust-anchor-arn (string)

Trust anchor to to use for authentication.

--with-proxy

To use credential-process with a proxy.

--no-verify-ssl

To disable SSL verification.

Important

Note that this disables TLS host authentication, and can open the connection to man-in-the-middle attacks. This option should only be used under specific, tightly controlled scenarios, such as debugging proxy connections.

Output

The credential helper tool will return a JSON containing the credentials. This format allows the credentials to be consumed by the external credential process supported by the credential_process.

{ "Version":1, "AccessKeyId": String, "SecretAccessKey": String, "SessionToken": String, "Expiration": Timestamp }

Examples

Example Obtain temporary security credentials

To obtain temporary security credentials, use the following command.

$ ./aws_signing_helper credential-process \ --certificate /path/to/certificate \ --private-key /path/to/private-key \ --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID \ --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID \ --role-arn arn:aws:iam::account:role/role-name-with-path

Example Use temporary security credentials with AWS SDKs and the AWS CLI

To use temporary security credentials with AWS SDKs and the AWS CLI, you can configure the credential helper tool as a credential process. For more information, see Sourcing credentials with an external process.

The following example shows a the config file that sets the helper tool as the credential process.

[profile developer] credential_process = ./aws_signing_helper credential-process --certificate /path/to/certificate --private-key /path/to/private-key --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID --role-arn arn:aws:iam::account:role/role-name-with-path

Credential Helper on GitHub

The source code for the credential helper is available on GitHub so that you can adapt the helper to your needs. We encourage you to submit pull requests for changes that you would like to have included. However, AWS doesn't provide support for running modified copies of this software.

Credential Helper Changelog

CredentialHelper version 1.0.2

On September 8, 2022, AWS IAM Roles Anywhere released Credential Helper version 1.0.2. As a part of this release, the tool now sets the minimum TLS version to 1.2.

CredentialHelper version 1.0.1

On July 14, 2022, AWS IAM Roles Anywhere released Credential Helper version 1.0.1. As a part of this release, the tool now has better error handling.