# What is Amazon Identity and Access Management Roles Anywhere?
<a name="introduction"></a>

You can use Amazon Identity and Access Management Roles Anywhere to obtain [temporary security credentials in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp.html) for workloads such as servers, containers, and applications that run outside of Amazon. Your workloads can use the same [IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) and [IAM roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) that you use with Amazon applications to access Amazon resources. Using IAM Roles Anywhere means you don't need to manage long-term Amazon credentials for workloads running outside of Amazon. 

To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your [certificate authority (CA)](https://docs.amazonaws.cn/privateca/latest/userguide/PcaTerms.html#terms-ca). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere. 

**Topics**
+ [IAM Roles Anywhere concepts](#first-time-user)
+ [Accessing IAM Roles Anywhere](#access)

## IAM Roles Anywhere concepts
<a name="first-time-user"></a>

Learn the basic terms and concepts used in IAM Roles Anywhere.
+ **Trust anchors**

   You establish trust between IAM Roles Anywhere and your certificate authority (CA) by creating a *trust anchor*. A trust anchor is a reference to an external CA certificate. Your workloads outside of Amazon authenticate with the trust anchor using certificates issued by the trusted CA in exchange for temporary Amazon credentials. There can be several trust anchors in one Amazon account. For more information, see [IAM Roles Anywhere trust model](trust-model.md). 
+ **Roles**

  An [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. A role is intended to be assumable by anyone who needs it. For IAM Roles Anywhere to be able to assume a role and deliver temporary Amazon credentials, the role must trust the IAM Roles Anywhere service principal. A trust anchor is tied to the IAM role via the `aws:SourceArn` condition key that uses the trust anchor's ARN as its value in the role's trust policy. For more information, see [Role trusts](trust-model.md#role-trusts).
+ **Profiles**

  To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define IAM session policies, which can be managed or inline, to limit the permissions created for a session. A profile can have many IAM roles, but only one session policy. Any session returned by a CreateSession call that references the profile will have its permissions limited by the session policy.

**Note**  
All IAM Roles Anywhere resources are regional and they must be created in the same account and region to be used together.

### Account trust boundary
<a name="account-trust-boundary.title"></a>

For IAM Roles Anywhere, the trust boundary is established at the account level. This means:
+ Certificates issued by any trust anchor in the account can be used to assume any target role in that same account, unless you specify conditions in the role's trust policy.
+ There is no automatic integration with organization-wide controls.

### Multi-account setups
<a name="multi-account-setups"></a>

For information on setting up multi-account access, see: [Access for an IAM user in another Amazon account that you own.](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html)

## Accessing IAM Roles Anywhere
<a name="access"></a>

 **Amazon Management Console** 

You can manage your IAM Roles Anywhere resources using the [IAM Roles Anywhere console](https://console.amazonaws.cn/rolesanywhere/home).

 **Amazon Command Line Tools**

You can use the Amazon command line tools to issue commands at your system command line to perform IAM Roles Anywhere and other Amazon tasks. This can be faster and more convenient than using the console. The command line tools can be useful if you want to build scripts to perform Amazon tasks.

Amazon provides the [Amazon Command Line Interface (Amazon CLI)](http://aws.amazon.com/cli/). For information about installing and using the Amazon CLI, see the Amazon [Command Line Interface User Guide ](https://docs.amazonaws.cn/cli/latest/userguide/).

 **Amazon SDKs**

The Amazon software development kits (SDKs) consist of libraries and sample code for various programming languages and platforms including Java, Python, Ruby, .NET, iOS and Android, and others. The SDKs include tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For more information about the Amazon SDKs, including how to download and install them, see [Tools for Amazon Web Services](https://aws.amazon.com/tools/).