I've created a private CA with an intermediate CA signed by the root CA and a user signed by the intermediate. The certs are valid, if I sign a user cert with the root CA, it works and AWS creds are returned, following the exact same process with the user cert signed by the intermediate CA yields a 403
AccessDeniedException
.
The intermediate Trust Anchor was created with the cert chain, I've tried with the root above and below the intermediate cert. I've tried with and without a "root" Trust Anchor containing just the root cert.
The documentation doesn't describe the use case I'm attempting to make work, but the aws_signing_helper
has an option --intermediates
that I've supplied with the full chain, just the intermediate and just the root... all result in the 403
.
I am exploring this feature so I can be confident about discussing it with colleagues & customers, the fact that there are no references to intermediate CAs in the docs may well be because this isn't supported, but it'd be nice if the docs reflected that - it doesn't seem an reasonable use of the IAM Roles Anywhere service?
Thanks in advance for thoughts or guidance from the community.