# Access for non-Amazon workloads
An [IAM role](id_roles.md) is an object in Amazon Identity and Access Management (IAM) that is assigned [permissions](access_policies.md). When you [assume that role](id_roles_manage-assume.md) using an IAM identity or an identity from outside of Amazon, it provides you with temporary security credentials for your role session. You might have workloads running in your data center or other infrastructure outside of Amazon that must access your Amazon resources. Instead of creating, distributing, and managing long-term access keys, you can use Amazon Identity and Access Management Roles Anywhere (IAM Roles Anywhere) to authenticate your non-Amazon workloads. IAM Roles Anywhere uses X.509 certificates from your certificate authority (CA) to authenticate identities and securely provide access to Amazon Web Services services with the temporary credentials provided by an IAM role.
**To use IAM Roles Anywhere**
1. Set up a CA using [Amazon Private Certificate Authority](https://docs.amazonaws.cn/privateca/latest/userguide/PcaWelcome.html) or use a CA from your own PKI infrastructure.
1. After you have set up a CA, you create an object in IAM Roles Anywhere called a *trust anchor*. This anchor establishes trust between IAM Roles Anywhere and your CA for authentication.
1. You can then configure your existing IAM roles, or create new roles that trust the IAM Roles Anywhere service.
1. Authenticate your non-Amazon workloads with IAM Roles Anywhere using the trust anchor. Amazon grants the non-Amazon workload temporary credentials to the IAM role that has access to your Amazon resources.
## Additional resources
The following resources can help you learn more about providing access to non-Amazon workloads.
+ To learn how to set up public key infrastructure (PKI) for IAM Roles Anywhere, see [IAM Roles Anywhere with an external certificate authority](https://amazonaws-china.com/blogs/) in the *Amazon Security Blog*.