Creating a trust anchor and profile in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere
Step 1: Establish trustStep 2: Configure rolesNext steps

Creating a trust anchor and profile in AWS Identity and Access Management Roles Anywhere

To use AWS Identity and Access Management Roles Anywhere for authentication to AWS from your workloads that run outside of AWS such as servers, containers, and applications, you first create a trust anchor and profile through the IAM Roles Anywhere console.

You establish trust between IAM Roles Anywhere and your certificate authority (CA) by creating a trust anchor. A trust anchor is a reference to either AWS Private Certificate Authority (AWS Private CA) or an external CA certificate. You can create trust anchors for each certificate authority you want to trust.

To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define permissions with IAM managed policies.

Step 1: Establish trust

The first step of using IAM Roles Anywhere is creating a trust anchor, which requires you to reference a certificate authority (CA) that IAM Roles Anywhere will use to validate your authentication requests. Both root and intermediate CAs can be used as trust anchors. You will have to use either a AWS Private CA resource in your account or upload your external CA certificate. Note that CA certificates that are used as trust anchors have to satisfy certain constraints. For more information, see Signature verification.

To set up a certificate authority (CA)

  • Do one of the following:

    • To use a AWS Private CA resource, open the AWS Private CA console. Follow the instructions in the AWS Private CA User Guide.

    • To use an external CA, follow the instructions provided by the CA. You provide the certificate body in a later step.

    Important

    Certificates issued from public CAs cannot be used as trust anchors.

To create a trust anchor

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a trust anchor.

  3. In Trust anchor name, enter a name for the trust anchor.

  4. For Certificate authority (CA) source, do one of the following:

    • To use an AWS Private CA resource, choose AWS Private CA. In the AWS Private CA table, choose the AWS Private CA resource.

    • To use another CA, choose External certificate bundle. In External certificate bundle, paste your CA certificate body. The certificate must be in Privacy Enhanced Mail (PEM) format.

  5. (Optional) Customize notification settings based on your public key infrastructure. For more information, see customize notification settings

  6. (Optional) Add metadata to the trust anchor by attaching tags as key-value pairs. For more information, see Tagging AWS resources.

  7. Choose Create a trust anchor.

Step 2: Configure roles

Before you can create an IAM Roles Anywhere profile, you need at least one IAM role that trusts the IAM Roles Anywhere service principal. Then you can create a profile that lists the roles IAM Roles Anywhere assumes. In a profile, you can also limit the permissions for a created session with IAM managed policies.

To configure a role to trust IAM Roles Anywhere

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. On the IAM roles page, choose the role you want to use.

  3. On the Trust relationships tab, choose Edit trust policy.

  4. Update the trust policy to include rolesanywhere.amazonaws.com as shown below. 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "rolesanywhere.amazonaws.com"
                ]
            },
            "Action": [
              "sts:AssumeRole",
              "sts:TagSession",
              "sts:SetSourceIdentity"
            ],
            "Condition": {
              "ArnEquals": {
                "aws:SourceArn": [
                  "arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID"
                ]
              }
            }
        }
    ]
}
    Important

    Without a Condition statement present in a role trust policy, any valid certificate from the CA used as the trust anchor, or CAs subordinate to that trust anchor may be used to assume a role via IAM roles anywhere. We recommend you use Condition statements on both the subject and issuer attributes to ensure that only certificates that you intend to be able to assume a role can do so.

    For information about editing role trust policies, see Modifying a role (console) in the IAM User Guide.

To create a profile

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a profile.

  3. In Profile name, enter a name for the profile.

  4. Under Role, choose the role you updated the trust policy for.

  5. (Optional) Configure session policies by choosing up to 10 managed policies or write an inline policy.

    Session policies limit the permissions for a created session, but do not grant permissions. For more information, see Session policies.

  6. (Optional) Add metadata to the profile by attaching tags as key–value pairs. For more information, see Tagging AWS resources.

  7. Choose Create a profile.

Next steps

You can now authenticate with IAM Roles Anywhere. Follow the instructions in Obtaining temporary security credentials. Also consider Monitoring with IAM Roles Anywhere subjects.