Creating a trust anchor and profile in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere

Creating a trust anchor and profile in AWS Identity and Access Management Roles Anywhere

To use AWS Identity and Access Management Roles Anywhere for authentication to AWS from your workloads that run outside of AWS such as servers, containers, and applications, you first create a trust anchor and profile through the IAM Roles Anywhere console.

You establish trust between IAM Roles Anywhere and your certificate authority (CA) by creating a trust anchor. A trust anchor is either a reference to AWS Certificate Manager Private Certificate Authority (ACM PCA) or another CA certificate. You can create trust anchors for each certificate authority you want to trust.

To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define permissions with IAM managed policies.

Step 1: Establish trust

The first step of using IAM Roles Anywhere is creating a trust anchor, which requires you to reference a certificate authority (CA) that IAM Roles Anywhere will use to validate your authentication requests. You can use either a ACM PCA resource in your account or upload your own CA certificate.

To set up a certificate authority (CA)

  • Do one of the following:

    • To use a ACM PCA resource, open the ACM PCA console. Follow the instructions in the ACM PCA User Guide.

    • To use another CA, follow the instructions provided by the CA. You provide the certificate body in a later step.

To create a trust anchor

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a trust anchor.

  3. In Trust anchor name, enter a name for the trust anchor.

  4. For Certificate authority (CA) source, do one of the following:

    • To use an ACM PCA resource, choose ACM Private CA. In the ACM Private CA table, choose the ACM PCA resource.

    • To use another CA, choose External certificate bundle. In External certificate bundle, paste your CA certificate body. The certificate must be in Privacy Enhanced Mail (PEM) format.

  5. (Optional) Add metadata to the trust anchor by attaching tags as key-value pairs. For more information, see Tagging AWS resources.

  6. Choose Create a trust anchor.

Step 2: Configure roles

Before you can create an IAM Roles Anywhere profile, you need at least one IAM role that trusts the IAM Roles Anywhere service principal. Then you can create a profile that lists the roles IAM Roles Anywhere assumes. In a profile, you can also limit the permissions for a created session with IAM managed policies.

To configure a role to trust IAM Roles Anywhere

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. On the IAM roles page, choose the role you want to use.

  3. On the Trust relationships tab, choose Edit trust policy.

  4. Update the trust policy to include rolesanywhere.amazonaws.com as shown below.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "rolesanywhere.amazonaws.com" ] }, "Action": [ "sts:AssumeRole", "sts:TagSession", "sts:SetSourceIdentity" ] } ] }
    Important

    It is strongly recommended that policies include Condition statements to further refine access to the role.

    For information about editing role trust policies, see Modifying a role (console) in the IAM User Guide.

To create a profile

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a profile.

  3. In Profile name, enter a name for the profile.

  4. Under Role, choose the role you updated the trust policy for.

  5. (Optional) Configure session policies by choosing up to 10 managed policies or write an inline policy.

    Session policies limit the permissions for a created session, but do not grant permissions. For more information, see Session policies.

  6. (Optional) Add metadata to the profile by attaching tags as key–value pairs. For more information, see Tagging AWS resources.

  7. Choose Create a profile.

Next steps

You can now authenticate with IAM Roles Anywhere. Follow the instructions in Obtaining temporary security credentials. Also consider Monitoring with IAM Roles Anywhere subjects.