I found the easiest thing to do was to create a separate script for the credential_process to target, this isn't necessary I just found it easier.
So create a script along the lines of:
#! /bin/bash
# raw_helper.sh
/path/to/aws_signing_helper credential-process \
--certificate /path/to/cert.crt \
--private-key /path/to/key.key \
--trust-anchor-arn <TA_ARN> \
--profile-arn <Roles_Anywhere_Profile_ARN> \
--role-arn <IAM_Role_ARN>
The key thing I found is that most places (including AWS documentation) tell you to use the ~/.aws/config file and declare the profile there. This didn't seem to work, but when I added the profile to my ~/.aws/credentials file it did work. Assuming you've created a helper script, this would look like this:
# ~/.aws/credentials
[raw_profile]
credential_process = /path/to/raw_helper.sh
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › get temporary security credentials from iam roles anywhere
Get temporary security credentials from IAM Roles Anywhere - IAM Roles Anywhere
For additional commands and options, see the credential helper README on GitHub ... The credential-process command obtains temporary security credentials from IAM Roles Anywhere using your certificate and private key. ./aws_signing_helper credential-process \ --certificate [--cert-selector] ...
GitHub
github.com › aws › rolesanywhere-credential-helper
GitHub - aws/rolesanywhere-credential-helper · GitHub
The rolesanywhere-credential-helper implements the signing process for the AWS IAM Roles Anywhere CreateSession API. It returns temporary credentials in a standard JSON format compatible with the credential_process feature available across AWS SDKs.
Starred by 186 users
Forked by 69 users
Languages Go 86.4% | Shell 6.5% | Makefile 6.0%
Videos
Top answer 1 of 3
1
I found the easiest thing to do was to create a separate script for the credential_process to target, this isn't necessary I just found it easier.
So create a script along the lines of:
#! /bin/bash
# raw_helper.sh
/path/to/aws_signing_helper credential-process \
--certificate /path/to/cert.crt \
--private-key /path/to/key.key \
--trust-anchor-arn <TA_ARN> \
--profile-arn <Roles_Anywhere_Profile_ARN> \
--role-arn <IAM_Role_ARN>
The key thing I found is that most places (including AWS documentation) tell you to use the ~/.aws/config file and declare the profile there. This didn't seem to work, but when I added the profile to my ~/.aws/credentials file it did work. Assuming you've created a helper script, this would look like this:
# ~/.aws/credentials
[raw_profile]
credential_process = /path/to/raw_helper.sh
2 of 3
1
Based on AWS recommendations and my previous experience in a similiar application, you should
- Create the AWS config file on the server envirnoment or containers with the parameters - certificate, private-key, trust-anchor-arn, profile-arn, role-arn and the signing helper file location (Secure options such as using K8S secrets or other options should be considered here)
- Use AWS SDK to retrieve the credentials from the application.
If you are not using containers it will be a straight forward process to create the aws config file with a profile and then you can use the sdk to retireve the credentials. (aws signing helper file should also be uploaded to a path in the server)
Java SDK: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/ProfileCredentialsProvider.html
Python SDK: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html
Go Packages
pkg.go.dev › github.com › aws › rolesanywhere-credential-helper › aws_signing_helper
aws_signing_helper package - github.com/aws/rolesanywhere-credential-helper/aws_signing_helper - Go Packages
March 5, 2026 - Container that adheres to the format of credential_process output as specified by AWS. func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorithm string) (CredentialProcessOutput, error)
AWS
docs.aws.amazon.com › none › reference guide › authentication and access using aws sdks and tools › using iam roles anywhere to authenticate aws sdks and tools
Using IAM Roles Anywhere to authenticate AWS SDKs and tools - AWS SDKs and Tools
private-key – The path to the private key that signed the request. ... Your Cloud Administrator should provide the certificate and private key. All three ARN values can be copied from the AWS Management Console. The following example shows a shared config file that configures retrieving temporary credentials from the helper tool. [profile dev] credential_process = ./aws_signing_helper credential-process --certificate /path/to/certificate --private-key /path/to/private-key --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID --role-arn arn:aws:iam::account:role/ROLE_ID
Smallstep
smallstep.com › blog › smallstep-and-aws-iam-roles-anywhere
How to use ACME to authenticate to AWS
May 20, 2024 - [[ -f $CERT_LOCATION || -f $KEY_LOCATION ]]; then issue_cert=true else set +e step certificate needs-renewal $CERT_LOCATION --expires-in 0m 2> /dev/null retVal=$? if [[ "$retVal" = 0 || "$retVal" = 255 ]]; then issue_cert=true fi set -e fi if [ "$issue_cert" = true ]; then step ca certificate $ACME_HOSTNAME $CERT_LOCATION $KEY_LOCATION \ --provisioner $PROVISIONER_NAME \ --force fi /path/to/aws_signing_helper credential-process \ --intermediates $INTERMEDIATE_CA_PEM_LOCATION \ --certificate $CERT_LOCATION \ --private-key $KEY_LOCATION \ --trust-anchor-arn $TRUST_ANCHOR_ARN \ --profile-arn $PROFILE_ARN \ --role-arn $ROLE_ARN Just run this script as your credential process, instead of running aws_signing_helper directly.
Jimmydqv
jimmydqv.com › iam-anywhere
AWS IAM Anywhere | Jimmy Dahlqvist
July 22, 2022 - [profile cert-test] credential_process = aws_signing_helper credential-process --certificate <cert path> / --private-key <private key> --trust-anchor-arn <trust anchor arn> / --profile-arn <profile arn> --role-arn <role arn>
Medium
cmani.medium.com › aws-solutions-for-hybrid-and-multicloud-extend-aws-credentials-anywhere-with-iam-roles-anywhere-df7b1ff99203
AWS Solutions for Hybrid and Multicloud — Extend AWS credentials anywhere with IAM Roles Anywhere for workloads running outside AWS like GCP and other cloud providers | by Mani | Medium
July 31, 2024 - ./aws_signing_helper credential-process \ - certificate /path/to/certificate.pem \ - private-key /path/to/private-key.pem \ - trust-anchor-arn <TA_ARN> \ - profile-arn <PROFILE_ARN> \ - role-arn <ExampleS3WriteRole_ARN>
Medium
apkash8.medium.com › securing-access-provisioning-via-aws-iamrolesanywhere-goodbye-to-iam-credentials-2956ec66ff6a
Secure Access Provisioning via IAM Roles Anywhere | by just_a_noob | Medium
July 3, 2024 - The AWS Signing helper obtains temporary security credentials from IAM Roles Anywhere, leveraging its credential helper tool, compatible with the credential_process feature across language SDKs.
DEV Community
dev.to › polarsquad › how-to-use-aws-roles-anywhere-484p
How to use AWS Roles Anywhere - DEV Community
February 21, 2024 - The helper tool can then be used in the file $HOME/.aws/config to login to the AWS when SDK or CLI is used. Here we need the ARNs that the Terraform code above returns. Save this to a file called aws-config. The Dockerfile expects this name: [default] credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /app/app-cert.pem --private-key /app/app-private-nopass.key --trust-anchor-arn arn:aws:rolesanywhere:eu-west-1:xxxxxx:trust-anchor/yyyyyyyy --profile-arn arn:aws:rolesanywhere:eu-west-1:xxxxxx:profile/ccccccc --role-arn arn:aws:iam::xxxxxx:role/RolesAnywhere
AWS
docs.aws.amazon.com › aws sdk for java › developer guide for version 2.x › configuring service clients in the aws sdk for java 2.x › using credentials providers in the aws sdk for java 2.x › load credentials from an external process using the aws sdk for java 2.x
Load credentials from an external process using the AWS SDK for Java 2.x - AWS SDK for Java 2.x
The SDK for Java doesn't have a dedicated credentials provider to retrieve temporary credentials from IAM Roles Anywhere, but you can use the credential helper tool along with one of the options to retrieve credentials from an external process. The following snippet in the shared AWS config file shows a profile named roles_anywhere that uses the credential_process setting: [profile roles_anywhere] credential_process = ./aws_signing_helper credential-process \ --certificate /path/to/certificate \ --private-key /path/to/private-key \ --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID \ --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID \ --role-arn arn:aws:iam::account:role/role-name-with-path
Medium
medium.com › @ismailkovvuru › securely-connect-on-prem-workloads-to-aws-using-iam-roles-anywhere-e2826c901a2c
Securely Connect On-Prem Workloads to AWS Using IAM Roles Anywhere | by Ismail Kovvuru | Medium
August 7, 2025 - brew install aws/tap/aws-signing-helper # macOS sudo yum install -y aws-signing-helper # Amazon Linux ... # ~/.aws/config [profile onprem] credential_process = /usr/local/bin/aws_signing_helper credential-process \ --certificate /etc/certs/client.crt \ --private-key /etc/certs/client.key \ --trust-anchor-arn arn:aws:rolesanywhere:... \ --profile-arn arn:aws:rolesanywhere:... \ --role-arn arn:aws:iam::...:role/OnPremS3Access
Top answer 1 of 2
3
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
2 of 2
0
Simply put, you need a certificate indicated by `--certificate` to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter `--private-key` that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
Readthedocs
my-redirection.readthedocs.io › en › latest › credentials › aws_credentials.html
Managing AWS Cloud Credentials
First download the aws_signing_helper binary, make it executable, and install it somewhere on the PATH. Modify the file ~/.aws/config file with the following: [profile default] credential_process = aws_signing_helper credential-process \ --certificate /path/to/cert.pem \ --private-key /path/to/privkey.pem \ --intermediates /path/to/chain.pem --trust-anchor-arn arn:aws:rolesanywhere:<region>:<account>:trust-anchor/<id> \ --profile-arn arn:aws:rolesanywhere:<region>:<account>:profile/<id> \ --role-arn arn:aws:iam::<account>:role/CovalentAWSPluginsRole \ --endpoint rolesanywhere.<region>.amazonaws.com \ --region <region>
AWS
aws.amazon.com › blogs › security › use-iam-roles-anywhere-to-help-you-improve-security-in-on-premises-container-workloads
Use IAM Roles Anywhere to help you improve security in on-premises container workloads | AWS Security Blog
November 29, 2023 - Create a file named docker-entrypoint.sh that configures the AWS CLI to use the IAM Roles Anywhere signing helper. #!/bin/sh set -e openssl rsa -in $ROLESANYWHERE_KEY_LOCATION -passin env:ROLESANYWHERE_KEY_PASSPHRASE -out /tmp/key.pem > /dev/null 2>&1 echo "[default]" > ~/.aws/config echo " credential_process = aws_signing_helper credential-process \ --certificate $ROLESANYWHERE_CERT_LOCATION \ --private-key /tmp/key.pem \ --trust-anchor-arn $ROLESANYWHERE_TRUST_ANCHOR_ARN \ --profile-arn $ROLESANYWHERE_PROFILE_ARN \ --role-arn $ROLESANYWHERE_ROLE_ARN" >> ~/.aws/config exec "$@"
GitHub
github.com › aws › rolesanywhere-credential-helper › blob › v1.2.1 › aws_signing_helper › signer.go
rolesanywhere-credential-helper/aws_signing_helper/signer.go at v1.2.1 · aws/rolesanywhere-credential-helper
// Supported signing algorithms based on the KeyType · Algorithms []string `json:"supportedAlgorithms"` } · // Container that adheres to the format of credential_process output as specified by AWS. type CredentialProcessOutput struct { // This field should be hard-coded to 1 for now.
Author aws
Go Packages
pkg.go.dev › github.com › zubeensyed › rolesanywhere-credential-helper › aws_signing_helper
aws_signing_helper package - github.com/zubeensyed/rolesanywhere-credential-helper/aws_signing_helper - Go Packages
April 12, 2023 - Version int `json:"Version"` // AWS Access Key ID AccessKeyId string `json:"AccessKeyId"` // AWS Secret Access Key SecretAccessKey string `json:"SecretAccessKey"` // AWS Session Token for temporary credentials SessionToken string `json:"SessionToken"` // ISO8601 timestamp for when the credentials expire Expiration string `json:"Expiration"` } Container that adheres to the format of credential_process output as specified by AWS.
Amazon Web Services
docs.amazonaws.cn › 亚马逊云科技 › amazon sdks and tools › reference guide › authentication and access using amazon sdks and tools › using iam roles anywhere to authenticate amazon sdks and tools
Using IAM Roles Anywhere to authenticate Amazon SDKs and tools - Amazon SDKs and Tools
private-key – The path to the private key that signed the request. ... Your Cloud Administrator should provide the certificate and private key. All three ARN values can be copied from the Amazon Web Services Management Console. The following example shows a shared config file that configures retrieving temporary credentials from the helper tool. [profile dev] credential_process = ./aws_signing_helper credential-process --certificate /path/to/certificate --private-key /path/to/private-key --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID --role-arn arn:aws:iam::account:role/ROLE_ID
AWS
aws.amazon.com › about-aws › whats-new › 2023 › 07 › iam-roles-anywhere-credential-helper-os-certificate-stores
IAM Roles Anywhere credential helper adds support for OS certificate stores - AWS
July 26, 2023 - Today, AWS Identity and Access ... certificate stores. IAM Roles Anywhere credential helper is a tool that manages the process of signing the CreateSession API with the private key associated with an X.509 end-entity certificate and calls the endpoint to obtain temporary ...
GitHub
github.com › coredns › coredns › issues › 6846
Route53 Plugin with aws_signing_helper credential-process. · Issue #6846 · coredns/coredns
August 21, 2024 - The helper manages creating a signature with the certificate and calling the endpoint to obtain session credentials; it returns the credentials to the calling process in a standard JSON format for the SDK.
Author gowgopal83