The IAM Roles Anywhere authentication process - IAM Roles Anywhere
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

The IAM Roles Anywhere authentication process

To provide credentials, Amazon Identity and Access Management Roles Anywhere uses the IAM Roles Anywhere CreateSession API. The API authenticates requests with a signature using keys associated with the X.509 certificate, which was used for authentication. The API method of IAM Roles Anywhere, acts like AssumeRole - exchanging the signature for a standard SigV4-compatible session credential.

To successfully authenticate, the following constraints must be satisfied:

  • The signature attached to the request MUST be validated against the signing certificate (also attached to the request).

  • The signing certificate MUST have a valid trust chain to a Certificate Authority (CA) certificate configured in the customer account.

  • The target role for which credentials are issued MUST have an AssumeRolePolicyDocument that allows IAM Roles Anywhere service principal, rolesanywhere.amazonaws.com , to call sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity. For more information, see Granting permissions to pass a role to a service in the IAM User Guide.

  • The target role for which credentials are issued MAY have additional Condition predicates in the AssumeRolePolicyDocument that restrict authorization based on attributes extracted from the X.509 Certificate (for example, Subject or Issuer).

The signature uses the same canonicalization mechanism as Amazon Signature V4 for API requests (SigV4), with the following changes and additions:

  • The private key used to sign the request MUST be bound to an X.509 Certificate.

  • The signing certificate MUST be a v3 certificate.

  • The signing certificate MUST be attached to the request via the header X-Amz-X509, as Base64-encoded Distinguished Encoding Rules (DER) data.

  • The relevant headers - X-Amz-X509 and X-Amz-X509-Chain (if applicable) MUST be included in the signed headers field of the Authorization header.

  • The X-Amz-X509-Chain header MUST be encoded as comma-delimited, base64-encoded DER.

  • The X-Amx-X509-Chain header MUST NOT exceed the maximum depth of 5 certificates.

  • The signing certificate's serial number MUST be included in the Credential portion of the Scope field of the Authorization header.

RSA and EC keys are supported; RSA keys are used with the RSA PKCS# v1.5 signing algorithm. EC keys are used with the ECDSA.