Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising! Answer from jsonpile on reddit.com
Amazon Web Services
aws.amazon.com › security, identity, and compliance › aws identity and access management (iam) › aws iam roles anywhere
Extend IAM roles to workloads in multicloud with AWS IAM Roles Anywhere
2 weeks ago - You can use AWS Identity and Access Management (IAM) Roles Anywhere to obtain temporary security credentials for your on-premises, hybrid, and multicloud workloads.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › what is aws identity and access management roles anywhere?
What is AWS Identity and Access Management Roles Anywhere? - IAM Roles Anywhere
You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to ...
What is IAM Roles Anywhere?
Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising! More on reddit.com
7
21
July 6, 2022How does AWS Roles Anywhere prevent rotation overhead in practice?
We're evaluating AWS IAM Roles Anywhere for connecting to our AWS resources from a third-party. I'm trying to understand why this means "no more distribution, storing, and rotation overheads" (as ... More on repost.aws
2
0
June 2, 2023Can STS and IAM Role be used outside of AWS workload , from on-premise
SSM Hybrid Agent might be a good fit for you over IAM Users. it does fingerprinting of the host and handles rotating the temporary STS tokens so less risk than managing that yourself than IAM User creds. you can give it whatever IAM Role you want. you can install it via whatever IaC is appropriate for the host, i've previously used ansible. More on reddit.com
18
5
June 20, 2024Does IAM user cost anything?
Try this search for more information on this topic. Comments, questions or suggestions regarding this autoresponse? Please send them here . Looking for more information regarding billing, securing your account or anything related? Check it out here! I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns. More on reddit.com
7
4
April 6, 2024Videos
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › getting started with iam roles anywhere
Getting started with IAM Roles Anywhere - AWS Documentation
To use IAM Roles Anywhere for authentication you must first create a trust anchor, and then configure roles, and create a profile through the console.
Reddit
reddit.com › r/aws › what is iam roles anywhere?
r/aws on Reddit: What is IAM Roles Anywhere?
July 6, 2022 -
Saw these API changes and wondering if anyone knows more about these new apis?
https://awsapichanges.info/archive/changes/8d00b9-rolesanywhere.html
EDIT: the blog post now: https://aws.amazon.com/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws/
Top answer 1 of 4
15
Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising!
2 of 4
5
From CreateTrustAnchor in the link you posted: Creates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. A Trust Anchor is defined either as a reference to a AWS Certificate Manager Private Certificate Authority (ACM PCA), or by uploading a Certificate Authority (CA) certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the trusted Certificate Authority (CA) in exchange for temporary AWS credentials. Sounds like you'll be able to use X.509 certs instead of API keys or STS tokens to assume a role from outside of AWS. Very cool if you already have the necessary cert processes and infrastructure set up.
Jobgether
jobgether.com › remote jobs › remote identity and access management jobs
Remote Identity And Access Management Jobs - Work From Home
Considering a career at Identity And Access Management? Learn about the Identity And Access Management culture and find the offer that's the best fit...
Amazon Web Services
docs.aws.amazon.com › cli › latest › reference › rolesanywhere
rolesanywhere — AWS CLI 2.34.42 Command Reference
Using IAM Roles Anywhere eliminates the need to manage long-term credentials for workloads running outside of Amazon Web Services.
AWS
docs.aws.amazon.com › iam roles anywhere › api reference › welcome
Welcome - IAM Roles Anywhere
AWS Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of AWS to obtain temporary AWS credentials. Your workloads can use the same IAM policies and roles you have for native AWS applications to ...
AWS
docs.aws.amazon.com › none › reference guide › authentication and access using aws sdks and tools › using iam roles anywhere to authenticate aws sdks and tools
Using IAM Roles Anywhere to authenticate AWS SDKs and tools - AWS SDKs and Tools
IAM Roles Anywhere provides a way to get temporary credentials for a workload or process that runs outside of AWS. A trust anchor is established with the certificate authority to get temporary credentials for the associated IAM role.
Medium
medium.com › @vanchi811 › aws-iam-roles-anywhere-63656682c7aa
AWS IAM Roles Anywhere using your own Private Certificate Authority | by chinmay mandal | Medium
September 11, 2024 - AM Roles Anywhere leverages public key infrastructure (PKI) as a mechanism to establish trust between your external system and your AWS Account. Systems sitting outside of AWS hold X.509 Certificates that they present as part of a CreateSession ...
Noise
noise.getoto.net › tag › iam-roles-anywhere
IAM Roles Anywhere | Noise
By using IAM Roles Anywhere, your workloads, applications, containers, or devices that run external to AWS can access AWS resources and perform tasks like backing up data to Amazon Simple Storage Service (Amazon S3), or use AWS Key Management Service (AWS KMS) and the AWS encryption SDK to encrypt your data.
AWS
aws.amazon.com › blogs › security › tag › iam-roles-anywhere
IAM Roles Anywhere | AWS Security Blog
AWS Identity and Access Management (IAM) Roles Anywhere enables workloads that run outside of Amazon Web Services (AWS), such as servers, containers, and applications, to use X.509 digital certificates to obtain temporary AWS credentials and access AWS resources, the same way that you use IAM ...
Google Cloud
cloud.google.com › learn › certification
Certifications | Google Cloud
Manage the full life cycle of APIs anywhere with visibility and control.
Remote Rocketship
remoterocketship.com › remote jobs › route › data engineer
Data Engineer at Route
3 weeks ago - • 4+ years of formal, professional data engineering experience • 3+ years of SQL, fluency in complex transformations, window functions, query optimization • 2+ years of python, data pipeline development, scripting, testing, and package management (Poetry) • 2+ years of experience with AWS (e.g. - S3, RDS, DMS, DynamoDB) across data-related services • 1+ years of experience using Databricks, our primary development platform for this role • Experience using Terraform and GoLang • PagerDuty / Grafana / Tableau, preferred experience • Understanding of third normal form (3NF) data modeling and when to apply it • Knowledge and application of data theory • Working knowledge of data security practices and least-privilege access standards • Experience with data access controls in cloud environments (IAM roles, catalog permissions, etc.)
Top answer 1 of 2
2
Most organisation already have a PKI mechanism defined. The idea here is to use the PKI mechanism with AWS IAM Roles Anywhere. Since they already have PKI, it reduces the overhead to maintain, store or rotate long term AWS access keys and secrets. You can also use IAM Roles Anywhere to provide a consistent experience for managing credentials across hybrid workloads.
For more Information, please refer https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
2 of 2
1
The certificate can be issued for a longer time (e.g. 1 year) but the keys are rotated more often (every hour). So there are two parts here, setting up the trust anchor with certificates and then having the ability for that host to rotate keys as required, essentially forcing your access keys to expire and be rotated. So the certificates work at the host (linux, windows etc...) level and the keys at the aws services level.
There's a good example in this blog:
https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
Medium
harddikpatel.medium.com › goodbye-long-lived-keys-meet-aws-iam-roles-anywhere-58335d7a49eb
Goodbye Long-Lived Keys! Meet AWS IAM Roles Anywhere | by Hardik Patel | Medium
March 19, 2025 - This is where AWS IAM Roles Anywhere comes in. It enables non-AWS workloads to securely assume IAM roles using X.509 certificates, eliminating the need for long-lived credentials.
AWS
docs.aws.amazon.com › iam roles anywhere › api reference › actions
Actions - IAM Roles Anywhere
DocumentationIAM Roles AnywhereAPI Reference · The following actions are supported: CreateProfile · CreateTrustAnchor · DeleteAttributeMapping · DeleteCrl · DeleteProfile · DeleteTrustAnchor · DisableCrl · DisableProfile · DisableTrustAnchor · EnableCrl · EnableProfile ·
AWS
aws.amazon.com › about-aws › whats-new › 2023 › 09 › iam-roles-anywhere-govcloud-regions
IAM Roles Anywhere is now available in the AWS GovCloud (US) Regions - AWS
September 22, 2023 - AWS Identity and Access Management (IAM) Roles Anywhere is now available in the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions. IAM Roles Anywhere enables workloads that run outside of AWS to access AWS resources using IAM roles and policies in the same way you do from your AWS workloads.
Dunlop
dunlop.geek.nz › home › aws › using iam role anywhere credentials for seamless access beyond aws
Using IAM Role Anywhere Credentials for Seamless Access Beyond AWS – DUNLOP.GEEK.NZ
Whilst IAM Roles are a powerful tool for managing access to AWS resources did you know that they can also be directly used outside of the AWS ecosystem without the need for any IAM user accounts defined for programmatic access only? This is achieved by using the IAM Roles Anywhere approach.
Sktan
sktan.com › blog › post › 6-using-iam-roles-anywhere
Steven Tan - Using IAM Roles Anywhere
August 1, 2022 - Roles Anywhere is a newly released AWS service that allows you to use your private key infrastructure (PKI) to generate temporary credentials for accessing IAM roles from outside of AWS.
Vladimirprus
vladimirprus.com › blog › 2025-01-14-iam-roles-anywhere
IAM Roles Anywhere
If your workload run outside of AWS, the most common choice is to create a new user, give it the necessary permissions, and generate access key. However, if that key is compromised, an attacker can use the key with no contraints. IAM Roles Anywhere aims to improve things.