Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising! Answer from jsonpile on reddit.com
Amazon Web Services
aws.amazon.com › security, identity, and compliance › aws identity and access management (iam) › aws iam roles anywhere
Extend IAM roles to workloads in multicloud with AWS IAM Roles Anywhere
2 weeks ago - You can use AWS Identity and Access Management (IAM) Roles Anywhere to obtain temporary security credentials for your on-premises, hybrid, and multicloud workloads.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › what is aws identity and access management roles anywhere?
What is AWS Identity and Access Management Roles Anywhere? - IAM Roles Anywhere
You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to ...
Videos
IAM Roles Anywhere: Secure AWS Access - AWS
13:22
AWS IAM Roles Anywhere - Introduction & Demo | Amazon Web Services ...
06:10
AWS IAM Roles Anywhere certificate attribute mapping | Amazon Web ...
19:44
IAM Roles Anywhere – now for everyone with Let's Encrypt - YouTube
IAM Roles Anywhere: Secure Workload Access - AWS
Reddit
reddit.com › r/aws › what is iam roles anywhere?
r/aws on Reddit: What is IAM Roles Anywhere?
July 6, 2022 -
Saw these API changes and wondering if anyone knows more about these new apis?
https://awsapichanges.info/archive/changes/8d00b9-rolesanywhere.html
EDIT: the blog post now: https://aws.amazon.com/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws/
Top answer 1 of 4
15
Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising!
2 of 4
5
From CreateTrustAnchor in the link you posted: Creates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. A Trust Anchor is defined either as a reference to a AWS Certificate Manager Private Certificate Authority (ACM PCA), or by uploading a Certificate Authority (CA) certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the trusted Certificate Authority (CA) in exchange for temporary AWS credentials. Sounds like you'll be able to use X.509 certs instead of API keys or STS tokens to assume a role from outside of AWS. Very cool if you already have the necessary cert processes and infrastructure set up.
Medium
medium.com › @vanchi811 › aws-iam-roles-anywhere-63656682c7aa
AWS IAM Roles Anywhere using your own Private Certificate Authority | by chinmay mandal | Medium
September 11, 2024 - AWS IAM Roles Anywhere using your own Private Certificate Authority There are various methods to authenticate and authorize AWS accounts from outside the AWS environment. However, exposing access …
Zscaler
zscaler.com › blogs › security-research › aws-iam-roles-anywhere-iam-risks-anywhere
AWS IAM Roles Anywhere ~ IAM Risks Anywhere? | Zscaler
April 2, 2025 - AWS recently announced a new revolutionary Identity and Access Management (IAM) feature - IAM Roles Anywhere.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › getting started with iam roles anywhere
Getting started with IAM Roles Anywhere - IAM Roles Anywhere
To use IAM Roles Anywhere for authentication you must first create a trust anchor, and then configure roles, and create a profile through the console.
Top answer 1 of 2
3
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
2 of 2
0
Simply put, you need a certificate indicated by `--certificate` to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter `--private-key` that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
KodeKloud Notes
notes.kodekloud.com › docs › AWS-IAM › Configure-AWS-IAM-at-Scale › IAM-Anywhere › page
IAM Anywhere - KodeKloud
IAM Roles Anywhere enables external applications and resources to securely access AWS services using X.509 certificates managed by a centralized Public Key Infrastructure (PKI).
Medium
aws.plainenglish.io › iam-roles-anywhere-certificate-based-access-to-aws-95d944930b42
IAM Roles Anywhere: Certificate-Based Access to AWS | by Rouble Malik | AWS in Plain English
July 7, 2023 - Roles Anywhere is a new AWS service that allows you to use your private key infrastructure (PKI) to generate temporary credentials for accessing IAM roles from outside of AWS.
Palo Alto Networks
unit42.paloaltonetworks.com › aws-roles-anywhere
Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere
June 9, 2025 - To enable secure access for these ... (IAM) Roles Anywhere service that allows workloads outside of AWS to authenticate using digital certificates instead of traditional access keys....
Medium
medium.com › cyberark-engineering › calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
Calling AWS from Your On-Premises with IAM Roles Anywhere | CyberArk Engineering
April 2, 2024 - Allow on-premises devices access to your AWS resources with "AWS IAM Roles Anywhere" using x.509 client certificates. OpenSSL CA and CDK examples included.
Medium
blogs.learningdevops.com › getting-started-with-aws-iam-roles-anywhere-a-step-by-step-guide-8902a9ddee62
How to setup AWS IAM Roles Anywhere: A Step-by-Step Guide | by Rajesh Kumar | Medium
March 17, 2025 - Imagine you’re working with ... securely with AWS services. IAM Roles Anywhere allows these external systems to assume IAM roles without storing static access keys....
AWS
docs.aws.amazon.com › iam roles anywhere › api reference › welcome
Welcome - IAM Roles Anywhere
AWS Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of AWS to obtain temporary AWS credentials. Your workloads can use the same IAM policies and roles you have for native AWS applications to ...
DEV Community
dev.to › johnmccuk › aws-iam-roles-anywhere-demo-3gl4
AWS IAM Roles Anywhere Demo - DEV Community
August 24, 2025 - From the root directory, cd python-iam-anywhere-test then ... This should list all S3 buckets. IAM Roles Anywhere is a great elegant solution for external access to AWS resources.
Cloudy Advice
cloudyadvice.com › home › devops › use iam roles anywhere to reduce the use of iam keys
Use IAM Roles Anywhere to reduce the use of IAM keys - Cloudy Advice
November 6, 2023 - IAM Roles Anywhere makes it possible to use IAM Roles on systems outside of AWS. It provides a mechanism for external servers, containers, and applications to obtain temporary AWS credentials in a manner similar to EC2 Instance Roles.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › iam roles anywhere cloud security and shared responsibility › identity and access management for iam roles anywhere
Identity and access management for IAM Roles Anywhere - IAM Roles Anywhere
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use IAM Roles Anywhere resources.
Jackiechen
jackiechen.blog › 2022 › 07 › 11 › aws-iam-roles-anywhere
AWS IAM Roles Anywhere – Jackie Chen's IT Workshop
July 11, 2022 - Simply speaking, IAM roles anywhere enables anyone/server to assume an IAM role via a pair of certificates that are issued by the trusted private CA in ACM.
Medium
medium.com › @ismailkovvuru › securely-connect-on-prem-workloads-to-aws-using-iam-roles-anywhere-e2826c901a2c
Securely Connect On-Prem Workloads to AWS Using IAM Roles Anywhere | by Ismail Kovvuru | Medium
August 7, 2025 - IAM Roles Anywhere lets external workloads (e.g., on-prem servers, Kubernetes clusters, CI runners) authenticate with temporary credentials by presenting trusted TLS certificates.
Medium
medium.com › @rajdeep.617 › aws-iam-roles-anywhere-bye-bye-iam-secrets-202a8b33ca55
AWS IAM Roles Anywhere - Bye Bye IAM Secrets | by Rajdeep Hayer | Medium
February 13, 2023 - It is the most awaited AWS feature and this will make AWS operations more secure. It is not only limited to using AWS CLI, with the help of AWS SDK you can configure your application to run anywhere and get AWS secrets. Now you can delete IAM users and migrate to AWS Role Anywhere.
AWS
docs.aws.amazon.com › none › reference guide › authentication and access using aws sdks and tools › using iam roles anywhere to authenticate aws sdks and tools
Using IAM Roles Anywhere to authenticate AWS SDKs and tools - AWS SDKs and Tools
You can use IAM Roles Anywhere to get temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. To use IAM Roles Anywhere, your workloads must use X.509 certificates.