Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising! Answer from jsonpile on reddit.com
Amazon Web Services
aws.amazon.com › security, identity, and compliance › aws identity and access management (iam) › aws iam roles anywhere
Extend IAM roles to workloads in multicloud with AWS IAM Roles Anywhere
2 weeks ago - You can use IAM Roles Anywhere to grant secure temporary access to AWS services and resources for your workloads in hybrid, on-premises, and multicloud workloads.
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › what is aws identity and access management roles anywhere?
What is AWS Identity and Access Management Roles Anywhere? - IAM Roles Anywhere
You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to ...
authentication - How to properly assume an AWS IAM Role in an automated way from server sitting outside of cloud? - Information Security Stack Exchange
To securely access AWS Services, I get it that you should always use IAM Roles, such that the credential exposure is always only temporary. What I do not fully understand is, how do you actually as... More on security.stackexchange.com
Help setting up IAM Roles Anywhere
Please consider adding "Roles Anywhere" as a new tag ... I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything. check it out: https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam... More on repost.aws
2
1
July 8, 2022Integrating AWS Roles Anywhere with Let’s Encrypt
Hi, I was referring to below topic Integrating AWS Roles Anywhere with Let’s Encrypt to integrate AWS Roles Anywhere with Let’s Encrypt I am not able to as-is cabundle.pem in AWS IAM Anywhere (Create a trust anchor) UI. Error I am getting is Certificate is equivalent to, or issued by, a ... More on community.letsencrypt.org
1
0
May 7, 2024Unable to configure Mountpoint with IAM Roles Anywhere
Mountpoint for Amazon S3 version mount-s3 1.7.2 AWS Region eu-central-1 Describe the running environment Running on non-EC2 instance which uses IAM Roles Anywhere configuration. AWS profile configu... More on github.com
22
June 28, 2024Videos
19:44
IAM Roles Anywhere – now for everyone with Let's Encrypt - YouTube
09:16
AWS IAM Roles Anywhere - Introduction & Demo | Amazon Web Services ...
IAM Roles Anywhere: Secure AWS Access - AWS
06:10
AWS IAM Roles Anywhere certificate attribute mapping | Amazon Web ...
30:46
Use IAM Roles Anywhere to reduce the use of static IAM keys - Mike ...
Reddit
reddit.com › r/aws › what is iam roles anywhere?
r/aws on Reddit: What is IAM Roles Anywhere?
July 6, 2022 -
Saw these API changes and wondering if anyone knows more about these new apis?
https://awsapichanges.info/archive/changes/8d00b9-rolesanywhere.html
EDIT: the blog post now: https://aws.amazon.com/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws/
Top answer 1 of 4
15
Great find! This must be something they’ll cover at the Re:Inforce conference. Reminds me of ECS Anywhere where AWS is creating capabilities to help facilitate hybrid workloads with components not running in AWS. In this case, it seems to be setting up a system for an on-prem system/workload to use IAM roles without a complex system/architecture in place. This was a pain point previously. This could be promising!
2 of 4
5
From CreateTrustAnchor in the link you posted: Creates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. A Trust Anchor is defined either as a reference to a AWS Certificate Manager Private Certificate Authority (ACM PCA), or by uploading a Certificate Authority (CA) certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the trusted Certificate Authority (CA) in exchange for temporary AWS credentials. Sounds like you'll be able to use X.509 certs instead of API keys or STS tokens to assume a role from outside of AWS. Very cool if you already have the necessary cert processes and infrastructure set up.
Medium
medium.com › @vanchi811 › aws-iam-roles-anywhere-63656682c7aa
AWS IAM Roles Anywhere using your own Private Certificate Authority | by chinmay mandal | Medium
September 11, 2024 - IAM Role: A Role is an IAM identity with designated permissions that can be assumed by anyone who requires it. To utilize a role with IAM Roles Anywhere, you must configure the role to trust the IAM Roles Anywhere service principal.
Stack Exchange
security.stackexchange.com › questions › 285425 › how-to-properly-assume-an-aws-iam-role-in-an-automated-way-from-server-sitting-o
authentication - How to properly assume an AWS IAM Role in an automated way from server sitting outside of cloud? - Information Security Stack Exchange
November 28, 2025 - As for the initial request of the ... 11:48:42 +00:00 Commented Dec 1, 2025 at 11:48 · @DevelJoe , you can use your own private CA with Roles Anywhere....
Top answer 1 of 2
3
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
2 of 2
0
Simply put, you need a certificate indicated by `--certificate` to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter `--private-key` that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
Workshops
catalog.us-east-1.prod.workshops.aws › workshops › f81841e0-b033-4355-8b6c-b2a404d544a4 › en-US
Advanced machine-to-machine access with IAM Roles ...
Discover and participate in AWS workshops and GameDays
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › getting started with iam roles anywhere
Getting started with IAM Roles Anywhere - IAM Roles Anywhere
To use IAM Roles Anywhere for authentication you must first create a trust anchor, and then configure roles, and create a profile through the console.
Sktan
sktan.com › blog › post › 6-using-iam-roles-anywhere
Steven Tan - Using IAM Roles Anywhere
August 1, 2022 - Roles Anywhere is a newly released AWS service that allows you to use your private key infrastructure (PKI) to generate temporary credentials for accessing IAM roles from outside of AWS.
AWS
aws.amazon.com › blogs › security › iam-roles-anywhere-with-an-external-certificate-authority
IAM Roles Anywhere with an external certificate authority | Amazon Web Services
January 16, 2024 - AWS Identity and Access Management Roles Anywhere allows you to use temporary Amazon Web Services (AWS) credentials outside of AWS by using X.509 Certificates issued by your certificate authority (CA).
DEV Community
dev.to › johnmccuk › aws-iam-roles-anywhere-demo-3gl4
AWS IAM Roles Anywhere Demo - DEV Community
August 24, 2025 - The AWS preferred solution is to use AWS IAM Roles Anywhere for workloads outside of AWS.
Medium
aws.plainenglish.io › iam-roles-anywhere-certificate-based-access-to-aws-95d944930b42
IAM Roles Anywhere: Certificate-Based Access to AWS | by Rouble Malik | AWS in Plain English
July 7, 2023 - IAM Roles Anywhere: Certificate-Based Access to AWS What is roles anywhere? A new AWS service for secure access to IAM roles from outside of AWS Roles Anywhere is a new AWS service that allows you to …
Palo Alto Networks
unit42.paloaltonetworks.com › aws-roles-anywhere
Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere
June 9, 2025 - To enable secure access for these ... (IAM) Roles Anywhere service that allows workloads outside of AWS to authenticate using digital certificates instead of traditional access keys....
DEV Community
dev.to › polarsquad › how-to-use-aws-roles-anywhere-484p
How to use AWS Roles Anywhere - DEV Community
February 21, 2024 - What is AWS Roles Anywhere? AWS Roles Anywhere enables you to use AWS Policies and AWS... Tagged with aws, iam, rolesanywhere.
GitHub
github.com › awslabs › mountpoint-s3 › issues › 927
Unable to configure Mountpoint with IAM Roles Anywhere · Issue #927 · awslabs/mountpoint-s3
June 28, 2024 - aws_signing_helper serve --certificate certificate.crt --private-key private.key --trust-anchor-arn arn:aws:rolesanywhere:eu-central-1:123456789012:trust-anchor/some-uuid-here --profile-arn arn:aws:rolesanywhere:eu-central-1:123456789012:profile/some-uuid-here --role-arn arn:aws:iam::123456789012:role/my-role-name --region eu-central-1
Author sdauhuchytsrf
Amazon Web Services
amazonaws.cn › en › new › 2023 › amazon-identity-and-access-management-introduces-iam-roles-anywhere-for-workloads-outside-of-amazon-web-services-cloud
Amazon Identity and Access Management introduces IAM Roles Anywhere for workloads outside of Amazon Web Services Cloud
IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary Amazon Web Services credentials and use the same IAM roles and policies that you have configured for ...
Medium
medium.com › @rajdeep.617 › aws-iam-roles-anywhere-bye-bye-iam-secrets-202a8b33ca55
AWS IAM Roles Anywhere - Bye Bye IAM Secrets | by Rajdeep Hayer | Medium
February 13, 2023 - It is not only limited to using AWS CLI, with the help of AWS SDK you can configure your application to run anywhere and get AWS secrets. Now you can delete IAM users and migrate to AWS Role Anywhere.
Medium
medium.com › @ismailkovvuru › securely-connect-on-prem-workloads-to-aws-using-iam-roles-anywhere-e2826c901a2c
Securely Connect On-Prem Workloads to AWS Using IAM Roles Anywhere | by Ismail Kovvuru | Medium
August 7, 2025 - IAM Roles Anywhere — a powerful yet underused AWS service that allows on-premise or non-AWS workloads to assume IAM roles via X.509 certificates and get temporary credentials securely.
Cloudy Advice
cloudyadvice.com › home › devops › use iam roles anywhere to reduce the use of iam keys
Use IAM Roles Anywhere to reduce the use of IAM keys - Cloudy Advice
November 6, 2023 - IAM Roles Anywhere makes it possible to use IAM Roles on systems outside of AWS. It provides a mechanism for external servers, containers, and applications to obtain temporary AWS credentials in a manner similar to EC2 Instance Roles.