Access for non Amazon workloads - Amazon Identity and Access Management
Additional resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access for non Amazon workloads

An IAM role is an object in Amazon Identity and Access Management (IAM) that is assigned permissions. When you assume that role using an IAM identity or an identity from outside of Amazon, it provides you with temporary security credentials for your role session. You might have workloads running in your data center or other infrastructure outside of Amazon that must access your Amazon resources. Instead of creating, distributing, and managing long-term access keys, you can use Amazon Identity and Access Management Roles Anywhere (IAM Roles Anywhere) to authenticate your non Amazon workloads. IAM Roles Anywhere uses X.509 certificates from your certificate authority (CA) to authenticate identities and securely provide access to Amazon Web Services services with the temporary credentials provided by an IAM role.

To use IAM Roles Anywhere

  1. Set up a CA using Amazon Private Certificate Authority or use a CA from your own PKI infrastructure.

  2. After you have set up a CA, you create an object in IAM Roles Anywhere called a trust anchor. This anchor establishes trust between IAM Roles Anywhere and your CA for authentication.

  3. You can then configure your existing IAM roles, or create new roles that trust the IAM Roles Anywhere service.

  4. Authenticate your non Amazon workloads with IAM Roles Anywhere using the trust anchor. Amazon grants the non Amazon workload temporary credentials to the IAM role that has access to your Amazon resources.

Additional resources

The following resources can help you learn more about providing access to non-Amazon workloads.