Does AWS Roles Anywhere support keys in an enclave?

Question

AWS Roles anywhere as recently released https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/  appears to use a client tool aws_sigining_helper that takes a parameter of the private key.   Is this code open source? can it be? (I didn't see it on github) because I would like a feature that would enable the key being in an enclave (like with a Mac, or using a Yubikey)
This feature would help in cases where the key material should not leave the device.  (almost all cases IMO)

Answer

Hello,

Greetings from AWS !

The authentication sign process is explained here [1]. You can implement your own code following the process explained in this document [1] to call the CreateSession API of Roles Anywhere. Though there is no sample code from AWS side, I would like to share this third-party document [2] which contains sample code in Python making request to CreateSession API following the signing process explained in [1].

>Note: AWS would not be able to vouch for the integrity of the content being provided in third-party links. Kindly ensure to implement in your test environment first and then to use in your production environment.

That said, there is an existing feature request on making the code open source. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our [What's New](https://aws.amazon.com/new/) and [Blog pages](https://aws.amazon.com/blogs/aws/) for any new feature announcements.

I believe the information is helpful to you. In case you have any further queries/concerns then please let us know. We will be more than happy to assist you further.

Wish you an AWeSome day ahead and stay safe ! 🙂

--References--

[1] https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html

[2] https://nerdydrunk.info/aws:roles_anywhere

Does AWS Roles Anywhere support keys in an enclave?

Relevant content