To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define IAM session policies, which can be managed or inline, to limit the permissions created for a session. A profile can have many IAM roles, but only one session policy. Any session returned by a CreateSession call that references the profile will have its permissions limited by the session policy.

CreateSession API returns temporary security credentials for workloads that have been authenticated with IAM Roles Anywhere to access AWS resources.

The CreateSession API enables workloads running outside of AWS to obtain temporary AWS credentials using X.509 certificates to access AWS resources. Previously, VPC endpoint policies applied to all IAM Roles Anywhere API operations except CreateSession. This launch closes that gap, giving you ...

This package provides an easy way to create a refreshable boto3 Session with IAM Roles Anywhere, without defining an AWS profile with relevant configuration for IAM roles anywhere.

February 12, 2026 - The credential helper implements the signing process for IAM Roles Anywhere's CreateSession API and returns temporary credentials in a standard JSON format that is compatible with the credential_process feature available across the language SDKs. More information can be found here .

The rolesanywhere-credential-helper implements the signing process for the AWS IAM Roles Anywhere CreateSession API. It returns temporary credentials in a standard JSON format compatible with the credential_process feature available across AWS SDKs.

To provide credentials, AWS Identity and Access Management Roles Anywhere uses the IAM Roles Anywhere CreateSession API. The API authenticates requests with a signature using keys associated with the X.509 certificate, which was used for authentication.

September 11, 2024 - A Roles Anywhere Profile links the IAM Role with Roles Anywhere and can impose session restrictions if necessary. The External Server makes a CreateSession request, presenting its Certificate and specifying the role it intends to assume.

January 16, 2024 - The API you call to swap credentials is CreateSession for IAM Roles Anywhere. This API serves as a wrapper around STS AssumeRole but requires that you pass in certificate information first. You, as the end user, don’t directly call this API.

June 9, 2025 - This log is created when Roles Anywhere is used for authentication, in other words, to create temporary credentials and send them to the user. Figure 3 shows an example of a CreateSession log entry and notes the associated ARN.

May 15, 2025 - After you’ve planned for integration ... role session that is created by calling CreateSession represents the identity and permissions of your external workloads within AWS....

Temporary credentials for IAM roles are issued to IAM Roles Anywhere clients via the API method CreateSession.

November 6, 2023 - A Roles Anywhere Profile associates the IAM Role with Roles Anywhere and can set session restrictions if desired. The External Server issues a CreateSession request and provides it’s Certificate along with specifying the role it wishes to assume.

To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define IAM session policies, which can be managed or inline, to limit the permissions created for a session. A profile can have many IAM roles, but only one session policy. Any session returned by a CreateSession call that references the profile will have its permissions limited by the session policy.

IAM Roles Anywhere uses the CreateSession API to authenticate requests with a SigV4a signature using the private key and its associated X.509 certificate. This exchange provides a IAM role session credential, as if you had assumed the IAM role. The aws_signing_helper binary is provided to call ...

from iam_rolesanywhere_session import IAMRolesAnywhereSession roles_anywhere_session = IAMRolesAnywhereSession( profile_arn="arn:aws:rolesanywhere:eu-central-1:************:profile/a6294488-77cf-4d4a-8c5c-40b96690bbf0", role_arn="arn:aws:iam::************:role/IAMRolesAnywhere-01", ...

November 29, 2023 - The container that is authenticating with IAM Roles Anywhere needs to present a valid certificate issued by the PKI, as well as Amazon Resource Names (ARNs) for the trust anchor, profile, and role. The container finally uses the certificate’s private key to sign a CreateSession API call, returning temporary AWS credentials.

August 3, 2025 - IAM Roles Anywhere leverages public key infrastructure (PKI) as a mechanism to establish trust between your external system and your AWS Account. Systems sitting outside of AWS hold X.509 Certificates that they present as part of a CreateSession ...

December 19, 2024 - Add native support for CreateSession to the SDK. We would like to leverage IAM Roles Anywhere to "bootstrap" AWS credentials into our external services that are written in Go.