I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be Answer from royb on repost.aws
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › get temporary security credentials from iam roles anywhere
Get temporary security credentials from IAM Roles Anywhere - IAM Roles Anywhere
To obtain temporary security credentials from AWS Identity and Access Management Roles Anywhere, use the credential helper tool that IAM Roles Anywhere provides. This tool is compatible with the credential_process feature available across the language SDKs. When used with an AWS SDK, these ...
GitHub
github.com › aws › rolesanywhere-credential-helper
GitHub - aws/rolesanywhere-credential-helper · GitHub
The rolesanywhere-credential-helper implements the signing process for the AWS IAM Roles Anywhere CreateSession API. It returns temporary credentials in a standard JSON format compatible with the credential_process feature available across AWS SDKs.
Starred by 185 users
Forked by 69 users
Languages Go 86.4% | Shell 6.5% | Makefile 6.0%
Videos
IAM Roles Anywhere: Secure AWS Access - AWS
06:36
AWS IAM Roles Anywhere credential helper TPM 2.0 support | Amazon ...
19:44
IAM Roles Anywhere – now for everyone with Let's Encrypt - YouTube
09:16
AWS IAM Roles Anywhere - Introduction & Demo | Amazon Web Services ...
37:42
AWS Security | AWS IAM Roles Anywhere | AppSecEngineer Free Course ...
12:02
AWS IAM Roles Anywhere Full Tutorial - YouTube
AWS
docs.aws.amazon.com › none › reference guide › authentication and access using aws sdks and tools › using iam roles anywhere to authenticate aws sdks and tools
Using IAM Roles Anywhere to authenticate AWS SDKs and tools - AWS SDKs and Tools
To use temporary security credentials from IAM Roles Anywhere with AWS SDKs and the AWS CLI, you can configure credential_process setting in the shared AWS config file. The SDKs and AWS CLI support a process credential provider that uses credential_process to authenticate.
AWS
aws.amazon.com › about-aws › whats-new › 2024 › 12 › iam-roles-anywhere-credential-helper-tpm-2-0
IAM Roles Anywhere credential helper now supports TPM 2.0 - AWS
IAM Roles Anywhere is compatible with certificates issued by any X.509-compliant PKI provider. IAM Roles Anywhere credential helper is a tool that automates the process of signing CreateSession API with the private key associated with an X.509 end-entity certificate and calls the endpoint to ...
AWS
aws.amazon.com › about-aws › whats-new › 2023 › 09 › iam-roles-anywhere-credential-helper-pkcs-11-modules
IAM Roles Anywhere credential helper now supports PKCS #11 modules - AWS
September 20, 2023 - IAM Roles Anywhere credential helper is a tool that manages the process of signing CreateSession API with the private key associated with an X.509 end-entity certificate and calls the endpoint to obtain temporary AWS credentials.
Amazon Web Services
aws.amazon.com › security, identity, and compliance › aws identity and access management (iam) › aws iam roles anywhere
Extend IAM roles to workloads in multicloud with AWS IAM Roles Anywhere
1 week ago - You can use AWS Identity and Access Management (IAM) Roles Anywhere to obtain temporary security credentials for your on-premises, hybrid, and multicloud workloads.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › the iam roles anywhere authentication process
The IAM Roles Anywhere authentication process - IAM Roles Anywhere
It acts like AssumeRole – exchanging the signature for a standard SigV4-compatible session credential. To successfully authenticate, the following constraints must be satisfied: The signature attached to the request MUST be validated against the signing certificate (also attached to the request). The signing certificate MUST have a valid trust chain to a Certificate Authority (CA) certificate configured in the customer account. The target role for which credentials are issued MUST have an AssumeRolePolicyDocument that allows IAM Roles Anywhere service principal, rolesanywhere.amazonaws.com, to call sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity.
AWS
aws.amazon.com › about-aws › whats-new › 2023 › 07 › iam-roles-anywhere-credential-helper-os-certificate-stores
IAM Roles Anywhere credential helper adds support for OS certificate stores - AWS
July 26, 2023 - With this release, you can now use IAM Roles Anywhere credential helper to delegate signing operations to keys stored within those OS-specific certificate stores, without those keys ever leaving those stores; which can improve your security posture. In Windows, both CryptoAPI and Cryptography ...
Medium
cmani.medium.com › aws-solutions-for-hybrid-and-multicloud-extend-aws-credentials-anywhere-with-iam-roles-anywhere-df7b1ff99203
AWS Solutions for Hybrid and Multicloud — Extend AWS credentials anywhere with IAM Roles Anywhere for workloads running outside AWS like GCP and other cloud providers | by Mani | Medium
July 31, 2024 - IAM Roles Anywhere provides a credential helper tool that can be used with the process credentials functionality that all current AWS SDKs support. This simplifies the signing process for the ...
Top answer 1 of 2
3
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
2 of 2
0
Simply put, you need a certificate indicated by `--certificate` to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter `--private-key` that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
AWS
aws.amazon.com › awstv › watch › dfebdc9a2d3
IAM Roles Anywhere: Secure AWS Access - AWS
This service allows servers, containers, and applications to obtain temporary AWS credentials for IAM roles and policies, improving security and reducing operational complexity. The video demonstrates how to set up IAM Roles Anywhere, including ...
GitHub
github.com › aws › rolesanywhere-credential-helper › blob › main › README.md
rolesanywhere-credential-helper/README.md at main · aws/rolesanywhere-credential-helper
When testing IAM Roles Anywhere, you will have to upload the CA certificate as a trust anchor and create a profile within Roles Anywhere before using the binary along with the leaf certificate/private key to call credential-process.
Author aws
Medium
medium.com › @vanchi811 › aws-iam-roles-anywhere-63656682c7aa
AWS IAM Roles Anywhere using your own Private Certificate Authority | by chinmay mandal | Medium
September 11, 2024 - Now we have created the trust anchor, IAM role to be assumed and profile. To obtain temporary security credentials from AWS Identity and Access Management Roles Anywhere, use the credential helper tool that IAM Roles Anywhere provides.
AWS
aws.amazon.com › blogs › security › extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere | Amazon Web Services
January 14, 2026 - IAM Roles Anywhere provides a credential helper tool that can be used with the process credentials functionality that all current AWS SDKs support. This simplifies the signing process for the applications.
Amazon Web Services
aws.amazon.com › security, identity, and compliance › aws iam roles anywhere › resources
Resources to help you extend IAM roles with AWS IAM Roles Anywhere
February 12, 2026 - ... This guide describes the IAM Roles Anywhere operations that you can call programmatically. ... The credential helper implements the signing process for IAM Roles Anywhere's CreateSession API and returns temporary credentials in a standard JSON format that is compatible with the ...
AWS
aws.amazon.com › blogs › security › use-iam-roles-anywhere-to-help-you-improve-security-in-on-premises-container-workloads
Use IAM Roles Anywhere to help you improve security in on-premises container workloads | AWS Security Blog
November 29, 2023 - IAM Roles Anywhere lets you exchange static AWS Identity and Access Management (IAM) user credentials with temporary security credentials in this scenario, reducing security risks while improving developer convenience.
DEV Community
dev.to › polarsquad › how-to-use-aws-roles-anywhere-484p
How to use AWS Roles Anywhere - DEV Community
February 21, 2024 - [default] credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /app/app-cert.pem --private-key /app/app-private-nopass.key --trust-anchor-arn arn:aws:rolesanywhere:eu-west-1:xxxxxx:trust-anchor/yyyyyyyy --profile-arn arn:aws:rolesanywhere:eu-west-1:xxxxxx:profile/ccccccc --role-arn arn:aws:iam::xxxxxx:role/RolesAnywhere
Top answer 1 of 3
1
I found the easiest thing to do was to create a separate script for the credential_process to target, this isn't necessary I just found it easier.
So create a script along the lines of:
#! /bin/bash
# raw_helper.sh
/path/to/aws_signing_helper credential-process \
--certificate /path/to/cert.crt \
--private-key /path/to/key.key \
--trust-anchor-arn <TA_ARN> \
--profile-arn <Roles_Anywhere_Profile_ARN> \
--role-arn <IAM_Role_ARN>
The key thing I found is that most places (including AWS documentation) tell you to use the ~/.aws/config file and declare the profile there. This didn't seem to work, but when I added the profile to my ~/.aws/credentials file it did work. Assuming you've created a helper script, this would look like this:
# ~/.aws/credentials
[raw_profile]
credential_process = /path/to/raw_helper.sh
2 of 3
1
Based on AWS recommendations and my previous experience in a similiar application, you should
- Create the AWS config file on the server envirnoment or containers with the parameters - certificate, private-key, trust-anchor-arn, profile-arn, role-arn and the signing helper file location (Secure options such as using K8S secrets or other options should be considered here)
- Use AWS SDK to retrieve the credentials from the application.
If you are not using containers it will be a straight forward process to create the aws config file with a profile and then you can use the sdk to retireve the credentials. (aws signing helper file should also be uploaded to a path in the server)
Java SDK: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/ProfileCredentialsProvider.html
Python SDK: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html
AWS
aws.amazon.com › blogs › security › iam-roles-anywhere-with-an-external-certificate-authority
IAM Roles Anywhere with an external certificate authority | AWS Security Blog
January 16, 2024 - You can write the command you just ran into your AWS Config file instead of manually parsing the JSON response into environment variables, or run the serve command to set up a local credential-serving endpoint that’s compatible with the AWS SDK and AWS Command Line Interface (AWS CLI). ./aws_signing_helper serve \ --certificate client.crt \ --private-key client.key \ --role-arn arn:aws:iam::111222333444:role/RolesanywhereS3Role \ --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:111222333444:trust-anchor/d5302884-5212-4f8d-9b17-24be63a5ae85 \ --profile-arn arn:aws:rolesanywhere:us-east-1:111222333444:profile/e341077c-4ee6-48e8-8d05-d900eb26b367 \ & # Start the process in the background
AWS
aws.amazon.com › blogs › security › planning-for-your-iam-roles-anywhere-deployment
Planning for your IAM Roles Anywhere deployment | AWS Security Blog
May 15, 2025 - Your applications integrate with IAM Roles Anywhere by using the aws signing helper (also known as the credential helper) with the AWS SDK.