Creating a trust anchor and profile in Amazon Identity and Access Management Roles Anywhere - IAM Roles Anywhere
Step 1: Establish trustStep 2: Configure rolesNext steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a trust anchor and profile in Amazon Identity and Access Management Roles Anywhere

To use Amazon Identity and Access Management Roles Anywhere for authentication to Amazon from your workloads that run outside of Amazon such as servers, containers, and applications, you first create a trust anchor and profile through the IAM Roles Anywhere console.

You establish trust between IAM Roles Anywhere and your certificate authority (CA) by creating a trust anchor. A trust anchor is a reference to an external CA certificate. You can create trust anchors for each certificate authority you want to trust.

To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define permissions with IAM managed policies.

Step 1: Establish trust

The first step of using IAM Roles Anywhere is creating a trust anchor, which requires you to reference a certificate authority (CA) that IAM Roles Anywhere will use to validate your authentication requests. Both root and intermediate CAs can be used as trust anchors. You will have to upload your external CA certificate. Note that CA certificates that are used as trust anchors have to satisfy certain constraints. For more information, see Signature verification.

To set up a certificate authority (CA)

  • Do the following:

    • To use an external CA, follow the instructions provided by the CA. You provide the certificate body in a later step.

    Important

    Certificates issued from public CAs cannot be used as trust anchors.

To create a trust anchor

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a trust anchor.

  3. In Trust anchor name, enter a name for the trust anchor.

  4. For Certificate authority (CA) source, choose External certificate bundle. In External certificate bundle, paste your CA certificate body. The certificate must be in Privacy Enhanced Mail (PEM) format.

  5. (Optional) Customize notification settings based on your public key infrastructure. For more information, see customize notification settings

  6. (Optional) Add metadata to the trust anchor by attaching tags as key-value pairs. For more information, see Tagging Amazon resources.

  7. Choose Create a trust anchor.

Step 2: Configure roles

Before you can create an IAM Roles Anywhere profile, you need at least one IAM role that trusts the IAM Roles Anywhere service principal. Then you can create a profile that lists the roles IAM Roles Anywhere assumes. In a profile, you can also limit the permissions for a created session with IAM managed policies.

To configure a role to trust IAM Roles Anywhere

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. On the IAM roles page, choose the role you want to use.

  3. On the Trust relationships tab, choose Edit trust policy.

  4. Update the trust policy to include rolesanywhere.amazonaws.com as shown below. 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "rolesanywhere.amazonaws.com"
                ]
            },
            "Action": [
              "sts:AssumeRole",
              "sts:TagSession",
              "sts:SetSourceIdentity"
            ],
            "Condition": {
              "ArnEquals": {
                "aws:SourceArn": [
                  "arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID"
                ]
              }
            }
        }
    ]
}
    Important

    Without a Condition statement present in a role trust policy, any valid certificate from the CA used as the trust anchor, or CAs subordinate to that trust anchor may be used to assume a role via IAM roles anywhere. We recommend you use Condition statements on both the subject and issuer attributes to ensure that only certificates that you intend to be able to assume a role can do so.

    For information about editing role trust policies, see Modifying a role (console) in the IAM User Guide.

To create a profile

  1. Sign in to the IAM Roles Anywhere console.

  2. Choose Create a profile.

  3. In Profile name, enter a name for the profile.

  4. Under Role, choose the role you updated the trust policy for.

  5. (Optional) Configure session policies by choosing up to 10 managed policies or write an inline policy.

    Session policies limit the permissions for a created session, but do not grant permissions. For more information, see Session policies.

  6. (Optional) Add metadata to the profile by attaching tags as key–value pairs. For more information, see Tagging Amazon resources.

  7. Choose Create a profile.

Next steps

You can now authenticate with IAM Roles Anywhere. Follow the instructions in Obtaining temporary security credentials. Also consider Monitoring with IAM Roles Anywhere subjects.