Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising! Answer from jsonpile on reddit.com
Amazon Web Services
aws.amazon.com › security, identity, and compliance › aws identity and access management (iam) › aws iam roles anywhere
Extend IAM roles to workloads in multicloud with AWS IAM Roles Anywhere
2 weeks ago - Use IAM Roles Anywhere to enable your workloads that run on your premises (such as servers, containers, and applications) to access AWS resources with AWS temporary credentials.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › what is aws identity and access management roles anywhere?
What is AWS Identity and Access Management Roles Anywhere? - IAM Roles Anywhere
You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to ...
Videos
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › getting started with iam roles anywhere
Getting started with IAM Roles Anywhere - AWS Documentation
To use IAM Roles Anywhere for authentication you must first create a trust anchor, and then configure roles, and create a profile through the console.
Medium
medium.com › @vanchi811 › aws-iam-roles-anywhere-63656682c7aa
AWS IAM Roles Anywhere using your own Private Certificate Authority | by chinmay mandal | Medium
September 11, 2024 - AM Roles Anywhere leverages public key infrastructure (PKI) as a mechanism to establish trust between your external system and your AWS Account. Systems sitting outside of AWS hold X.509 Certificates that they present as part of a CreateSession request.
Reddit
reddit.com › r/aws › what is iam roles anywhere?
r/aws on Reddit: What is IAM Roles Anywhere?
July 6, 2022 -
Saw these API changes and wondering if anyone knows more about these new apis?
https://awsapichanges.info/archive/changes/8d00b9-rolesanywhere.html
EDIT: the blog post now: https://aws.amazon.com/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws/
Top answer 1 of 4
15
Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising!
2 of 4
5
From CreateTrustAnchor in the link you posted: Creates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. A Trust Anchor is defined either as a reference to a AWS Certificate Manager Private Certificate Authority (ACM PCA), or by uploading a Certificate Authority (CA) certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the trusted Certificate Authority (CA) in exchange for temporary AWS credentials. Sounds like you'll be able to use X.509 certs instead of API keys or STS tokens to assume a role from outside of AWS. Very cool if you already have the necessary cert processes and infrastructure set up.
AWS
aws.amazon.com › blogs › security › planning-for-your-iam-roles-anywhere-deployment
Planning for your IAM Roles Anywhere deployment | AWS Security Blog
May 15, 2025 - IAM Roles Anywhere is a feature of AWS Identity and Access Management (IAM) that enables you to use X.509 certificates from your public key infrastructure (PKI) to request temporary Amazon Web Services (AWS) security credentials.
AWS
docs.aws.amazon.com › iam roles anywhere › api reference › actions
Actions - IAM Roles Anywhere
DocumentationIAM Roles AnywhereAPI Reference · The following actions are supported: CreateProfile · CreateTrustAnchor · DeleteAttributeMapping · DeleteCrl · DeleteProfile · DeleteTrustAnchor · DisableCrl · DisableProfile · DisableTrustAnchor · EnableCrl · EnableProfile ·
AWS
aws.amazon.com › blogs › security › tag › iam-roles-anywhere
IAM Roles Anywhere | AWS Security Blog
AWS Identity and Access Management (IAM) Roles Anywhere enables workloads that run outside of Amazon Web Services (AWS), such as servers, containers, and applications, to use X.509 digital certificates to obtain temporary AWS credentials and access AWS resources, the same way that you use IAM ...
Amazon Web Services
docs.aws.amazon.com › cli › latest › reference › rolesanywhere
rolesanywhere — AWS CLI 2.34.42 Command Reference
See the User Guide for help getting started. ... Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of Amazon Web Services to obtain temporary Amazon Web Services credentials.
DEV Community
dev.to › rajesh_kumar_36a2b4761e0d › how-to-setup-aws-iam-roles-anywhere-a-step-by-step-guide-596e
How to setup AWS IAM Roles Anywhere: A Step-by-Step Guide - DEV Community
January 29, 2025 - Imagine you’re working with ... securely with AWS services. IAM Roles Anywhere allows these external systems to assume IAM roles without storing static access keys....
Medium
harddikpatel.medium.com › goodbye-long-lived-keys-meet-aws-iam-roles-anywhere-58335d7a49eb
Goodbye Long-Lived Keys! Meet AWS IAM Roles Anywhere | by Hardik Patel | Medium
March 19, 2025 - This is where AWS IAM Roles Anywhere comes in. It enables non-AWS workloads to securely assume IAM roles using X.509 certificates, eliminating the need for long-lived credentials.
AWS
aws.amazon.com › blogs › security › extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere | Amazon Web Services
January 14, 2026 - AWS Identity and Access Management ... running outside of AWS, with the release of IAM Roles Anywhere. This feature extends the capabilities of IAM roles to workloads outside of AWS....
AWS
docs.aws.amazon.com › iam roles anywhere › api reference › welcome
Welcome - IAM Roles Anywhere
AWS Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of AWS to obtain temporary AWS credentials. Your workloads can use the same IAM policies and roles you have for native AWS applications to ...
AWS
aws.amazon.com › blogs › security › iam-roles-anywhere-with-an-external-certificate-authority
IAM Roles Anywhere with an external certificate authority | AWS Security Blog
January 16, 2024 - AWS Identity and Access Management Roles Anywhere allows you to use temporary Amazon Web Services (AWS) credentials outside of AWS by using X.509 Certificates issued by your certificate authority (CA).
DEV Community
dev.to › aws-builders › aws-identity-and-access-management-roles-anywhere-3655
AWS Identity and Access Management Roles Anywhere - DEV Community
August 28, 2022 - Roles An IAM role is an IAM identity that you can create in your account that has specific permissions. A role is intended to be assumable by anyone who needs it. For IAM Roles Anywhere to be able to assume a role and deliver temporary AWS ...
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › iam roles anywhere cloud security and shared responsibility › identity and access management for iam roles anywhere
Identity and access management for IAM Roles Anywhere - IAM Roles Anywhere
How to authenticate requests and manage access your IAM Roles Anywhere resources.
Medium
sidhurana.medium.com › why-aws-iam-roles-anywhere-and-how-to-use-it-from-on-premises-with-best-security-practices-b1213aefb684
Why use AWS IAM Roles Anywhere and how to use it from on-premises with best security practices ? | by Sudhir Kumar | Medium
December 6, 2023 - Traditionally, for on-premises ... AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads that run outside of AWS....
Palo Alto Networks
unit42.paloaltonetworks.com › aws-roles-anywhere
Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere
June 9, 2025 - To enable secure access for these ... (IAM) Roles Anywhere service that allows workloads outside of AWS to authenticate using digital certificates instead of traditional access keys....
Top answer 1 of 2
3
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
2 of 2
0
Simply put, you need a certificate indicated by `--certificate` to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter `--private-key` that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
DEV Community
dev.to › polarsquad › how-to-use-aws-roles-anywhere-484p
How to use AWS Roles Anywhere - DEV Community
February 21, 2024 - What is AWS Roles Anywhere? AWS Roles Anywhere enables you to use AWS Policies and AWS...