I found the easiest thing to do was to create a separate script for the credential_process to target, this isn't necessary I just found it easier.
So create a script along the lines of:
#! /bin/bash
# raw_helper.sh
/path/to/aws_signing_helper credential-process \
--certificate /path/to/cert.crt \
--private-key /path/to/key.key \
--trust-anchor-arn <TA_ARN> \
--profile-arn <Roles_Anywhere_Profile_ARN> \
--role-arn <IAM_Role_ARN>
The key thing I found is that most places (including AWS documentation) tell you to use the ~/.aws/config file and declare the profile there. This didn't seem to work, but when I added the profile to my ~/.aws/credentials file it did work. Assuming you've created a helper script, this would look like this:
# ~/.aws/credentials
[raw_profile]
credential_process = /path/to/raw_helper.sh
AWS
docs.aws.amazon.com › iam roles anywhere › user guide › get temporary security credentials from iam roles anywhere
Get temporary security credentials from IAM Roles Anywhere - IAM Roles Anywhere
To download the credential helper tool, use the following links. Releases for Darwin and Windows on or after version 1.1.1 are signed. To get temporary credentials, you need all of the following: A Profile configured in AWS Identity and Access Management Roles Anywhere
GitHub
github.com › aws › rolesanywhere-credential-helper
GitHub - aws/rolesanywhere-credential-helper · GitHub
Get GCC on Windows using MinGW-w64. Install Golang through the installer. Install git and make using Chocolatey: ... You will find the aws_signing_helper binary for your system in build/bin/aws_signing_helper.
Starred by 186 users
Forked by 69 users
Languages Go 86.4% | Shell 6.5% | Makefile 6.0%
Videos
Go Packages
pkg.go.dev › github.com › aws › rolesanywhere-credential-helper › aws_signing_helper
aws_signing_helper package - github.com/aws/rolesanywhere-credential-helper/aws_signing_helper - Go Packages
March 5, 2026 - Version int `json:"Version"` // AWS Access Key ID AccessKeyId string `json:"AccessKeyId"` // AWS Secret Access Key SecretAccessKey string `json:"SecretAccessKey"` // AWS Session Token for temporary credentials SessionToken string `json:"SessionToken"` // ISO8601 timestamp for when the credentials expire Expiration string `json:"Expiration"` }
Top answer 1 of 3
1
I found the easiest thing to do was to create a separate script for the credential_process to target, this isn't necessary I just found it easier.
So create a script along the lines of:
#! /bin/bash
# raw_helper.sh
/path/to/aws_signing_helper credential-process \
--certificate /path/to/cert.crt \
--private-key /path/to/key.key \
--trust-anchor-arn <TA_ARN> \
--profile-arn <Roles_Anywhere_Profile_ARN> \
--role-arn <IAM_Role_ARN>
The key thing I found is that most places (including AWS documentation) tell you to use the ~/.aws/config file and declare the profile there. This didn't seem to work, but when I added the profile to my ~/.aws/credentials file it did work. Assuming you've created a helper script, this would look like this:
# ~/.aws/credentials
[raw_profile]
credential_process = /path/to/raw_helper.sh
2 of 3
1
Based on AWS recommendations and my previous experience in a similiar application, you should
- Create the AWS config file on the server envirnoment or containers with the parameters - certificate, private-key, trust-anchor-arn, profile-arn, role-arn and the signing helper file location (Secure options such as using K8S secrets or other options should be considered here)
- Use AWS SDK to retrieve the credentials from the application.
If you are not using containers it will be a straight forward process to create the aws config file with a profile and then you can use the sdk to retireve the credentials. (aws signing helper file should also be uploaded to a path in the server)
Java SDK: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/ProfileCredentialsProvider.html
Python SDK: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html
Enlapser
enlapser.com › blog › aws-signing-helper-rpi
AWS Roles Anywhere on Raspberry Pi — aws_signing_helper builds
November 17, 2025 - The helper is part of the IAM Roles Anywhere toolchain that lets on‑prem and edge devices obtain temporary AWS credentials using X.509 certificates instead of storing static credentials on disk. Our repository: github.com/Enlapser/aws-signing-helper-rpi-builds
Medium
medium.com › @ismailkovvuru › securely-connect-on-prem-workloads-to-aws-using-iam-roles-anywhere-e2826c901a2c
Securely Connect On-Prem Workloads to AWS Using IAM Roles Anywhere | by Ismail Kovvuru | Medium
August 7, 2025 - brew install aws/tap/aws-signing-helper # macOS sudo yum install -y aws-signing-helper # Amazon Linux
DEV Community
dev.to › polarsquad › how-to-use-aws-roles-anywhere-484p
How to use AWS Roles Anywhere - DEV Community
February 21, 2024 - FROM debian:stable-slim ARG homedir=/app RUN DEBIAN_FRONTEND=noninteractive apt-get update \ && apt-get upgrade \ && apt-get install --no-install-recommends -y \ awscli \ curl \ python3-boto3 \ && rm -rf /var/lib/apt/lists/* # Download AWS Signing Helper RUN cd /usr/local/bin \ && curl -LO https://rolesanywhere.amazonaws.com/releases/1.1.1/X86_64/Linux/aws_signing_helper \ && chmod 0755 aws_signing_helper # Create user to run the app RUN adduser --system --home "$homedir" --no-create-home --shell /bin/false userapp RUN mkdir "$homedir" && chown userapp "$homedir" # After this everything is run under the user USER userapp COPY --chown=userapp --chmod=0600 ./app-cert.pem "$homedir" # This should never be copied inside the image.
Top answer 1 of 2
3
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
check it out:
https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be
2 of 2
0
Simply put, you need a certificate indicated by `--certificate` to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter `--private-key` that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
Jackiechen
jackiechen.blog › 2022 › 07 › 11 › aws-iam-roles-anywhere
AWS IAM Roles Anywhere – Jackie Chen's IT Workshop
July 11, 2022 - That’s all you need to on AWS end. To assume the roles from anywhere, you need to install aws_signing_helper which is a binary that is available for windows/linux/mac.
Go Packages
pkg.go.dev › github.com › zubeensyed › rolesanywhere-credential-helper › aws_signing_helper
aws_signing_helper package - github.com/zubeensyed/rolesanywhere-credential-helper/aws_signing_helper - Go Packages
April 12, 2023 - Create the string to sign. func FindTokenTTLSeconds(r *http.Request) (string, error) Helper function that finds a token's TTL in seconds
Jimmydqv
jimmydqv.com › iam-anywhere
AWS IAM Anywhere | Jimmy Dahlqvist
July 22, 2022 - When requesting credentials the request must be signed using normal SigV4, like with all AWS calls. The signing process is a bit tedious and is described here. Then a Session need to be created, according to this process. I found that this process was not that straight forward, luckily AWS has released a helper for it.
GitHub
github.com › aws › rolesanywhere-credential-helper › releases
Releases · aws/rolesanywhere-credential-helper
March 5, 2026 - Full Changelog: v1.7.1...v1.7.2 MacOS X86_64 Binary: https://rolesanywhere.amazonaws.com/releases/1.7.2/X86_64/MacOS/Ventura/aws_signing_helper Linux X86_64 Binary: https://rolesanywhere.amazonaws.com/releases/1.7.2/X86_64/Linux/Amzn2023/aws_signing_helper Windows X86_64 Binary: https://rolesanywhere.amazonaws.com/releases/1.7.2/X86_64/Windows/Server2019/aws_signing_helper.exe MacOS AArch64 Binary: https://rolesanywhere.amazonaws.com/releases/1.7.2/Aarch64/MacOS/Sonoma/aws_signing_helper Linux AArch64 Binary: https://rolesanywhere.amazonaws.com/releases/1.7.2/Aarch64/Linux/Amzn2023/aws_signing
Author aws
Reddit
reddit.com › r/aws › iam roles anywhere - arm64 version of aws_signing_helper?
r/aws on Reddit: IAM Roles Anywhere - arm64 version of aws_signing_helper?
July 21, 2022 -
I am trying to get IAM Roles Anywhere on some Raspberry Pis. Is there an arm64 version of the aws_signing_helper (https://s3.amazonaws.com/roles-anywhere-credential-helper/CredentialHelper/latest/linux_amd64/aws_signing_helper)?
MyNixOS
mynixos.com › nixpkgs › package › aws-signing-helper
aws-signing-helper - MyNixOS
Nix package aws-signing-helper declared in nixpkgs. AWS Signing Helper for IAM Roles Anywhere.
AWS
docs.aws.amazon.com › aws signer › developer guide › code signing workflows in signer › sign container images in signer › sign an image
Sign an image - AWS Signer
Step 1: Create a AWS Signer Notation signing profileStep 2: Install a helper programStep 3: Sign the image using the Notation CLIStep 4: Verify image
Medium
apkash8.medium.com › securing-access-provisioning-via-aws-iamrolesanywhere-goodbye-to-iam-credentials-2956ec66ff6a
Secure Access Provisioning via IAM Roles Anywhere | by just_a_noob | Medium
July 3, 2024 - This tool’s details and access can be found at the following link: https://github.com/aws/rolesanywhere-credential-helper · The AWS Signing helper obtains temporary security credentials from IAM Roles Anywhere, leveraging its credential helper tool, compatible with the credential_process feature across language SDKs.
Medium
cmani.medium.com › aws-solutions-for-hybrid-and-multicloud-extend-aws-credentials-anywhere-with-iam-roles-anywhere-df7b1ff99203
AWS Solutions for Hybrid and Multicloud — Extend AWS credentials anywhere with IAM Roles Anywhere for workloads running outside AWS like GCP and other cloud providers | by Mani | Medium
July 31, 2024 - Edit the AWS credential file, ~/.aws/config and call the aws_signing_helper.
AWS
docs.aws.amazon.com › aws signer › developer guide › get started with aws signer
Get started with AWS Signer - AWS Signer
Before you can begin signing code and binaries with AWS Signer, you need to set up an AWS account, create administrative and root users, apply security policies using AWS Identity and Access Management (IAM), and create a signing profile that contains the configuration for your signing tasks.
Smallstep
smallstep.com › blog › smallstep-and-aws-iam-roles-anywhere
How to use ACME to authenticate to AWS
May 20, 2024 - For this step, you'll need to install the aws CLI tool. For this piece, AWS provides a credential helper program that takes the cert and key as input, and outputs the temporary IAM credentials. ... ./aws_signing_helper credential-process \ --intermediates intermediate_ca.crt \ --certificate step.crt \ --private-key step.key \ --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID \ --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID \ --role-arn arn:aws:iam::account:role/role-name-with-path
Kloudle
kloudle.com › academy › allowing-non-aws-workloads-to-access-aws-services-using-aws-iam-roles-anywhere
Allowing non AWS workloads to access AWS services using AWS IAM Roles Anywhere
November 8, 2022 - Follow the instructions at https://github.com/aws/rolesanywhere-credential-helper#building to build the binary locally ... After successfully compiling using make release, you will find the aws_signing_helper binary in build/bin/