{"id":137,"date":"2022-09-06T21:07:50","date_gmt":"2022-09-06T21:07:50","guid":{"rendered":"https:\/\/vasanthselvaraj.com\/?p=137"},"modified":"2023-01-13T22:39:41","modified_gmt":"2023-01-13T22:39:41","slug":"aws-iam-roles-anywhere","status":"publish","type":"post","link":"https:\/\/vasanthselvaraj.com\/?p=137","title":{"rendered":"AWS IAM Roles Anywhere &#8211; Part 1"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>AWS recently released the IAM Roles Anywhere and its well thought and recommended feature instead of using Long term access keys for workloads. In short, AWS IAM Roles anywhere is based on x.509 certs by creating the trust between PKI and IAM.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why I have to use AWS IAM Roles Anywhere?<\/h2>\n\n\n\n<p>Historically on-premise workloads access AWS resources via Long term access keys and one of the common requirement is to access the S3 bucket for upload\/download artefacts but it increases the likelihood of compromised keys.<\/p>\n\n\n\n<p>AWS IAM Roles Anywhere helps to mitigate the risk by providing short term credentials.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configure AWS IAM Roles Anywhere with External CA<\/h2>\n\n\n\n<p>Below steps are involved for the setup<\/p>\n\n\n\n<ul><li>Create CA (Existing CA will do) or AWS ACM PCA is also an option<\/li><li>Create Trust Anchor (Establish trust between PKI and AWS IAM)<\/li><li>Create and configure a role that trusts IAM Roles Anywhere<\/li><li>Create Profile to use IAM Roles anywhere<\/li><li>Create an Entity Certificate and sign with root CA<\/li><li>Test the AWS IAM Roles anywhere<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Create CA<\/h2>\n\n\n\n<p>For demonstration purpose , Self Signed Root CA is utilised for the demo . <code>Avoid use of Self-signed Certs for real environment because its difficult to maintain<\/code>.<\/p>\n\n\n\n<p>CFSSL to create and sign CA and another option is openssl by following using this link https:\/\/docs.microsoft.com\/en-us\/azure\/application-gateway\/self-signed-certificates<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Download the cfssl and cfssljson binaries from this github https:\/\/github.com\/cloudflare\/cfssl<\/p><cite>CloudFlare SSL<\/cite><\/blockquote>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-2\">\n<div class=\"wp-block-column is-vertically-aligned-top is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"wp-block-preformatted has-white-color has-black-background-color has-text-color has-background\">{\n  \"CN\": \"Demo Root Certificate Authority\",\n    \"key\": {\n        \"algo\": \"rsa\",\n        \"size\": 2048\n    },\n  \"names\": [\n    {\n      \"C\": \"Test\",\n      \"L\": \"Hello World\",\n      \"O\": \"Internal\"\n    }\n  ],\n  \"ca\": {\n    \"expiry\": \"87600h\"\n  }\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<pre class=\"wp-block-code\"><code>cfssl genkey -initca csr.json | cfssljson -bare ca<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Create Trust Anchor<\/h2>\n\n\n\n<p>Upload the ca.pem to IAM Roles Anywhere by selecting the External certificate bundle. AWS IAM Roles anywhere found at the bottom of AWS IAM Roles screen<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"808\" height=\"754\" src=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image.png\" alt=\"external ca\" class=\"wp-image-139\" srcset=\"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image.png 808w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image-300x280.png 300w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image-768x717.png 768w\" sizes=\"(max-width: 808px) 100vw, 808px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Create and configure a role that trusts IAM Roles Anywhere<\/h2>\n\n\n\n<p>Trust policy allows to assume the policy document by AWS IAM Roles Anywhere principal and able to access the AWS resources based on the permissions attached to the role<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": &#91;\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rolesanywhere.amazonaws.com\"\n            },\n            \"Action\": &#91;\n                \"sts:AssumeRole\",\n                \"sts:SetSourceIdentity\",\n                \"sts:TagSession\"\n            ]\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n<p><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/aws.amazon.com\/blogs\/security\/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.aws.amazon.com\/rolesanywhere\/latest\/userguide\/trust-model.html#trust-policy\">https:\/\/docs.aws.amazon.com\/rolesanywhere\/latest\/userguide\/trust-model.html#trust-policy<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create profile to use IAM Roles anywhere<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"843\" height=\"628\" src=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image-1.png\" alt=\"profile\" class=\"wp-image-140\" srcset=\"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image-1.png 843w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image-1-300x223.png 300w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image-1-768x572.png 768w\" sizes=\"(max-width: 843px) 100vw, 843px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Create an Entity Certificate and sign with root CA<\/h2>\n\n\n\n<p>Generate the entity certificate for signing and sing it using previous created CA<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>cfssl genkey csr.json | cfssljson -bare signcsr<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code><code><em><strong>openssl req -text -noout -verify -in signcsr.csr\n<\/strong><\/em>verify OK\nCertificate Request:\n    Data:\n        Version: 0 (0x0)\n        Subject: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=demo_test\n        Subject Public Key Info:\n            Public Key Algorithm: rsaEncryption\n                Public-Key: (2048 bit)<\/code><\/code><\/pre>\n\n\n\n<p>Sign the entity certificate using ca.pem<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>cfssl sign -ca ca.pem -ca-key ca-key.pem signcsr.csr | jq -r '.cert' &gt; cert.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code><strong><em>openssl x509 -in cert.pem -text -noout<\/em><\/strong>\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            1a:3e:66:1e:c3:17:f6:a4:42:81:cb:67:41:f2:dc:f2:03:7e:09:81\n    Signature Algorithm: sha256WithRSAEncryption\n        Issuer: C=Test, L=Hello World, O=Internal, CN=Demo Root Certificate Authority\n        Validity\n            Not Before: Sep  5 01:58:00 2022 GMT\n            Not After : Sep  5 01:58:00 2023 GMT\n        Subject: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=demo_test\n        Subject Public Key Info:\n            Public Key Algorithm: rsaEncryption\n                Public-Key: (2048 bit)<\/code><\/pre>\n\n\n\n<p>AWS signing helper is helps to get the temporary credentials from AWS using signed certificate<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.aws.amazon.com\/rolesanywhere\/latest\/userguide\/credential-helper.html\">https:\/\/docs.aws.amazon.com\/rolesanywhere\/latest\/userguide\/credential-helper.html<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>&#91;profile demo]\ncredential_process = \/home\/ec2-user\/iam-roles-anywhere\/aws_signing_helper credential-process --certificate \/home\/ec2-user\/self-signed-certs\/demo\/cert.pem  --private-key \/home\/ec2-user\/self-signed-certs\/demo\/signcsr-key.pem --trust-anchor-arn REPLACEME --profile-arn REPLACEME --role-arn REPLACEME<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>export AWS_PROFILE=demo\naws sts get-caller-identity<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Advanced Scenarios<\/h2>\n\n\n\n<p>Fine grained access to AWS IAM roles by using the condition statement . Subject <code>CN=demo_test<\/code> only assume the role.<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": &#91;\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rolesanywhere.amazonaws.com\"\n            },\n            \"Action\": &#91;\n                \"sts:AssumeRole\",\n                \"sts:TagSession\",\n                \"sts:SetSourceIdentity\"\n            ],\n<strong><em>            \"Condition\": {\n                \"StringEquals\": {\n                    \"aws:PrincipalTag\/x509Subject\/CN\": \"demo_test\"\n                }\n            }<\/em><\/strong>\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>AWS IAM Roles anywhere is backed by PKI and its recommended approach for workloads outside of AWS to get access to short term credentials<\/p>\n\n\n\n<figure class=\"wp-block-pullquote\" style=\"font-size:10px\"><blockquote><p>&#8220;Views Expressed\u201d Disclaimer<\/p><p>This disclaimer&nbsp;informs readers that the views, thoughts, and opinions expressed in the text belong solely to the&nbsp;me.<\/p><\/blockquote><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Introduction AWS recently released the IAM Roles Anywhere and its well thought and recommended feature instead of using Long term access keys for workloads. In short, AWS IAM Roles anywhere is based on x.509 certs by creating the trust between PKI and IAM. Why I have to use AWS IAM Roles Anywhere? Historically on-premise workloads&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0},"categories":[8,4,5],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>AWS IAM Roles Anywhere - Part 1 - Vasanth Selvaraj<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/vasanthselvaraj.com\/?p=137\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AWS IAM Roles Anywhere - Part 1 - Vasanth Selvaraj\" \/>\n<meta property=\"og:description\" content=\"Introduction AWS recently released the IAM Roles Anywhere and its well thought and recommended feature instead of using Long term access keys for workloads. In short, AWS IAM Roles anywhere is based on x.509 certs by creating the trust between PKI and IAM. Why I have to use AWS IAM Roles Anywhere? Historically on-premise workloads...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/vasanthselvaraj.com\/?p=137\" \/>\n<meta property=\"og:site_name\" content=\"Vasanth Selvaraj\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-06T21:07:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-13T22:39:41+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image.png\" \/>\n<meta name=\"author\" content=\"VS\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"VS\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=137\",\"url\":\"https:\/\/vasanthselvaraj.com\/?p=137\",\"name\":\"AWS IAM Roles Anywhere - Part 1 - Vasanth Selvaraj\",\"isPartOf\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\"},\"datePublished\":\"2022-09-06T21:07:50+00:00\",\"dateModified\":\"2023-01-13T22:39:41+00:00\",\"author\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d\"},\"breadcrumb\":{\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=137#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/vasanthselvaraj.com\/?p=137\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=137#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/box2411.temp.domains\/~vasselva\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS IAM Roles Anywhere &#8211; Part 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\",\"url\":\"https:\/\/box2411.temp.domains\/~vasselva\/\",\"name\":\"Vasanth Selvaraj\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d\",\"name\":\"VS\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g\",\"caption\":\"VS\"},\"url\":\"https:\/\/vasanthselvaraj.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AWS IAM Roles Anywhere - Part 1 - Vasanth Selvaraj","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/vasanthselvaraj.com\/?p=137","og_locale":"en_US","og_type":"article","og_title":"AWS IAM Roles Anywhere - Part 1 - Vasanth Selvaraj","og_description":"Introduction AWS recently released the IAM Roles Anywhere and its well thought and recommended feature instead of using Long term access keys for workloads. In short, AWS IAM Roles anywhere is based on x.509 certs by creating the trust between PKI and IAM. Why I have to use AWS IAM Roles Anywhere? Historically on-premise workloads...","og_url":"https:\/\/vasanthselvaraj.com\/?p=137","og_site_name":"Vasanth Selvaraj","article_published_time":"2022-09-06T21:07:50+00:00","article_modified_time":"2023-01-13T22:39:41+00:00","og_image":[{"url":"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/09\/image.png"}],"author":"VS","twitter_card":"summary_large_image","twitter_misc":{"Written by":"VS","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/vasanthselvaraj.com\/?p=137","url":"https:\/\/vasanthselvaraj.com\/?p=137","name":"AWS IAM Roles Anywhere - Part 1 - Vasanth Selvaraj","isPartOf":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website"},"datePublished":"2022-09-06T21:07:50+00:00","dateModified":"2023-01-13T22:39:41+00:00","author":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d"},"breadcrumb":{"@id":"https:\/\/vasanthselvaraj.com\/?p=137#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/vasanthselvaraj.com\/?p=137"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/vasanthselvaraj.com\/?p=137#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/box2411.temp.domains\/~vasselva"},{"@type":"ListItem","position":2,"name":"AWS IAM Roles Anywhere &#8211; Part 1"}]},{"@type":"WebSite","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website","url":"https:\/\/box2411.temp.domains\/~vasselva\/","name":"Vasanth Selvaraj","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d","name":"VS","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g","caption":"VS"},"url":"https:\/\/vasanthselvaraj.com\/?author=1"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/137"}],"collection":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=137"}],"version-history":[{"count":5,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions"}],"predecessor-version":[{"id":210,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions\/210"}],"wp:attachment":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}