IAM Roles Anywhere and interface VPC endpoints (Amazon PrivateLink) - IAM Roles Anywhere
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Roles Anywhere and interface VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your VPC and Amazon Identity and Access Management Roles Anywhere by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access IAM Roles Anywhere APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with IAM Roles Anywhere APIs. Traffic between your VPC and IAM Roles Anywhere does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for IAM Roles Anywhere VPC endpoints

Before you set up an interface VPC endpoint for IAM Roles Anywhere, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

IAM Roles Anywhere supports making calls to all of its API actions from your VPC.

VPC endpoint policies are supported for IAM Roles Anywhere on all API methods except CreateSession. By default, full access to IAM Roles Anywhere is allowed through the endpoint. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Creating an interface VPC endpoint for IAM Roles Anywhere

You can create a VPC endpoint for the IAM Roles Anywhere service using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for IAM Roles Anywhere using the following service name:

  • com.amazonaws.region.rolesanywhere

If you enable private DNS for the endpoint, you can make API requests to IAM Roles Anywhere using its default DNS name for the Region, for example, rolesanywhere.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for IAM Roles Anywhere

You can attach an endpoint policy to your VPC endpoint that controls access to IAM Roles Anywhere. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for IAM Roles Anywhere actions

The following is an example of an endpoint policy for IAM Roles Anywhere. When attached to an endpoint, this policy grants access to the listed IAM Roles Anywhere actions for all principals on all resources.

{ "Statement":[ { "Principal":"*", "Effect":"Allow", "Action":[ "rolesanywhere:CreateTrustAnchor", "rolesanywhere:CreateProfile", "rolesanywhere:UpdateProfile" ], "Resource":"*" } ] }