Are you managing cloud infrastructure but need a secure way to access AWS resources from outside the AWS environment? AWS IAM Roles Anywhere has you covered! This feature enables you to assume IAM roles using X.509 certificates, eliminating the need for long-term AWS credentials. Let’s dive into how you can set this up, step by step.
What is AWS IAM Roles Anywhere?
Imagine you’re working with on-premises servers, CI/CD pipelines, or even IoT devices, and you need these to interact securely with AWS services. IAM Roles Anywhere allows these external systems to assume IAM roles without storing static access keys. It’s like giving your non-AWS workloads temporary AWS credentials but with extra layers of security.
Why Create Your Own Certificate Authority (CA)?
AWS provides services like Private Certificate Manager (ACM Private CA) to manage certificates, but these services can be expensive for smaller setups or learning environments. Creating your own CA gives you control over the certificate lifecycle without incurring additional AWS costs.
A Certificate Authority (CA) is the foundation of trust in a secure system. It issues certificates that prove the identity of your workloads. By creating your own Root CA, you establish a trusted entity that AWS can verify.
Prerequisites
Before we start, ensure you have the following:
AWS CLI installed and configured.
OpenSSL installed on your local machine.
Proper IAM permissions to create roles and trust anchors in AWS.
IAM role with the following permissions to manage Route 53:
IAM Policy for Route 53
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListHostedZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
Trust Relationship for IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
This IAM role is essential for enabling DNS management through Route 53 when creating a profile in AWS IAM Roles Anywhere.
Let’s Build It Step-by-Step:
Step 1: Create a Root Certificate Authority (CA)
The Root CA will be the anchor of trust for your setup. Here’s how to create it:
Generate the private key for your CA:
$ openssl genrsa -out privateRootCA.key 2048
# Explanation:
# genrsa: Generates an RSA private key.
# -out privateRootCA.key: Saves the private key to a file named privateRootCA.key.
Create a self-signed certificate for your Root CA:
$ openssl req -x509 -new -nodes -key privateRootCA.key -sha256 -days 365 -out privateRootCA.pem \
-subj "/C=IN/O=Learning DevOps" \
-addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign,cRLSign"
# Explanation:
# req: Generates a certificate signing request or self-signed certificate.
# -x509: Creates a self-signed certificate instead of a CSR.
# -key privateRootCA.key: Uses the private key you just generated.
# -days 365: Makes the certificate valid for 365 days.
# -subj: Provides the certificate's subject details (country, organization, etc.).
# -addext: Adds certificate extensions, marking it as a CA capable of signing certificates.
This step creates two files:
privateRootCA.key: The private key for your Root CA (keep this secure).
privateRootCA.pem: The self-signed certificate that AWS will trust.
Step 2: Create a Trust Anchor in AWS
The trust anchor connects your Root CA with AWS IAM Roles Anywhere.
Upload the Root CA certificate to AWS:
$ aws rolesanywhere create-trust-anchor \
--name "MyTrustAnchor" \
--source "sourceType=CERTIFICATE_BUNDLE,sourceData={x509CertificateData=\"$(cat privateRootCA.pem)\"}"
# Explanation:
# create-trust-anchor: Creates a trust anchor in AWS.
# --source: Specifies the source type and data (your Root CA certificate).
Run this command to verify:
$ aws rolesanywhere list-trust-anchors
You should see your newly created trust anchor listed.
Step 3: Create a Client Certificate
Your external systems will use this certificate to authenticate.
Generate the private key for the client:
$ openssl genrsa -out client.key 2048
Generate the certificate signing request (CSR):
$ openssl req -new -key client.key -out client.csr -config <(\
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = IN
O = Learning DevOps
CN = ClientCert
[v3_ext]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
EOF
)
# Explanation:
# -new: Creates a new CSR.
# -key client.key: Uses the client's private key.
# -config: Provides the certificate configuration inline.
Sign the client certificate with the Root CA:
$ openssl x509 -req -in client.csr -CA privateRootCA.pem -CAkey privateRootCA.key -CAcreateserial \
-out client.crt -days 365 -sha256 -extfile <(echo -e "basicConstraints = CA:FALSE\nkeyUsage = digitalSignature\nextendedKeyUsage = clientAuth")
# Explanation:
# x509: Creates an X.509 certificate.
# -CA privateRootCA.pem: Specifies the Root CA certificate.
# -CAkey privateRootCA.key: Specifies the Root CA private key.
# -CAcreateserial: Automatically generates a serial number for the client certificate.
# -out client.crt: Specifies the output client certificate file.
Step 4: Create a Profile in AWS
Profiles define which IAM roles external systems can assume.
$ aws rolesanywhere create-profile \
--name "TestProfile" \
--role-arns "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<RoleName>" \
--trust-anchor-arn "arn:aws:rolesanywhere::<AWS_REGION>::trust-anchor/<TrustAnchorID>" \
--enabled
# Explanation:
# create-profile: Creates a profile in AWS.
# --role-arns: Arn of the role we created in the prerequisites section.
# --trust-anchor-arn: Links the profile to your trust anchor.
Verify your profiles:
$ aws rolesanywhere list-profiles
Step 5: Install AWS Signing Helper
The AWS Signing Helper simplifies signing API requests using your certificates.
Download and install it:
$ curl -O https://rolesanywhere.amazonaws.com/releases/1.4.0/X86_64/Linux/aws_signing_helper
$ chmod +x aws_signing_helper
$ sudo mv aws_signing_helper /usr/local/bin/
Step 6: Assume a Role Using the Client Certificate
Run the signing helper to fetch temporary credentials:
$ aws_signing_helper credential-process \
--trust-anchor-arn arn:aws:roles anywhere:ap-south-1:<Account_ID>:trust-anchor/<TrustAnchorID> \
--role-arn arn:aws:iam::<Account_ID>:role/<RoleName> \
--profile-arn arn:aws:rolesanywhere:ap-south-1:<Account_ID>:profile/<ProfileID> \
--certificate client.crt \
--private-key client.key
# Explanation:
# credential-process: Fetches temporary credentials for AWS.
# --certificate: Specifies the client certificate.
# --private-key: Specifies the client’s private key.
Export the credentials:
$ export AWS_ACCESS_KEY_ID=<AccessKeyIdFromOutput>
$ export AWS_SECRET_ACCESS_KEY=<SecretAccessKeyFromOutput>
$ export AWS_SESSION_TOKEN=<SessionTokenFromOutput>
Verify access:
$ aws route53 list-hosted-zones
Congratulations! You’ve securely accessed AWS resources from outside the AWS environment.
Wrapping Up
AWS IAM Roles Anywhere is a powerful tool for hybrid and on-premises setups. Securely linking your external workloads to AWS can eliminate static credentials and improve security.
Happy learning!
Thank you for reading!
Feel free to explore my articles for fascinating perspectives and useful suggestions. Let’s connect on LinkedIn. I’m eager to hear your thoughts and delve deeper into any discussions!
Top comments (0)