A couple years back I wrote a post to share how to create AWS instance profile for on-premise servers. That was to use SSM agent and Lambda function to manage the IAM credentials for the on-premise servers. Starting early this month, the AWS native solution for such use cases are available – AWS IAM Role Anywhere.
Simply speaking, IAM roles anywhere enables anyone/server to assume an IAM role via a pair of certificates that are issued by the trusted private CA in ACM.
The basic steps are like:
First step, setup trust relationship between IAM roles anywhere and a private CA in AWS certificate manager (ACM). This is called Trust anchor.
Second step, create IAM roles with required permissions, and the trust policy to allow rolesanywhere.amazonaws.com to assume them. For granular controls (which servers can assume which roles), condition can be specified in the trust policy. e.g Use the certificate subject:
"Condition": {
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": "bamboo-01",
"aws:PrincipalTag/x509Subject/OU": "devops"
}Third step, create a profile in IAM roles anywhere, and add the above roles in.
That’s all you need to on AWS end. To assume the roles from anywhere, you need to install aws_signing_helper which is a binary that is available for windows/linux/mac.
To assume the role, you just need to run:
./aws_signing_helper credential-process \
--certificate /path/to/certificate.pem \
--private-key /path/to/private-key.pem \
--trust-anchor-arn <CREATED_IN_STEP_ONE> \
--role-arn <CREATED_IN_STEP_TWO> \
--profile-arn <CREATED_IN_STEP_THREE>
Also it can be used in aws config file as the credential_process:
[default]
credential_process = ./aws_signing_helper credential-process
--certificate /path/to/certificate.pem \
--private-key /path/to/private-key.pem \
--trust-anchor-arn <CREATED_IN_STEP_ONE> \
--role-arn <CREATED_IN_STEP_TWO> \
--profile-arn <CREATED_IN_STEP_THREE>References:
Jackie Chen's IT Workshop 