Providing access for non Amazon workloads - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Providing access for non Amazon workloads

An IAM role is an object in Amazon Identity and Access Management (IAM) that is assigned permissions. When you assume that role using an IAM identity or an identity from outside of Amazon, it provides you with temporary security credentials for your role session. You might have workloads running in your data center or other infrastructure outside of Amazon that need to access your Amazon resources. Instead of creating, distributing, and managing long-term access keys, you can use Amazon Identity and Access Management Roles Anywhere (IAM Roles Anywhere) to authenticate your non Amazon workloads. IAM Roles Anywhere uses X.509 certificates from your certificate authority (CA) to authenticate identities and securely provide access to Amazon Web Services with the temporary credentials provided by an IAM role.

To use IAM Roles Anywhere, you set up a CA using Amazon Private Certificate Authority or use a CA from your own PKI infrastructure. After you have set up a CA, you create an object in IAM Roles Anywhere called a trust anchor to establish trust between IAM Roles Anywhere and your CA for authentication. You can then configure your existing IAM roles, or create new roles that trust the IAM Roles Anywhere service. When your non Amazon workloads authenticate with IAM Roles Anywhere using the trust anchor, they can get temporary credentials for your IAM roles to access your Amazon resources.