Help setting up IAM Roles Anywhere

1

Very excited to read about new AWS Capability; namely, IAM Roles Anywhere. We have a number of on-prem servers, where we would like to copy logs to S3. Now we are using user profiles, which are obviously not the best practice!

I was trying to set it up, and I got confused. The example is using AWS PCS, which is $400/month - a little steep for just trying out. So, obviously, I am trying to use free Let's Encrypt. My understanding that this is their certificate bundle.

I successfully created Trust anchor (by pasting let's encrypt PEM file); I created a role, and I created a profile. I don't think I missed anything. Now, I am trying to obtain temporary security credentials, as described here.

./aws_signing_helper credential-process \
    --certificate
    --private-key
    --profile-arn
    --role-arn
    --trust-anchor-arn

profile, role, and trust-anchor are clear. I assume certificate is the path to the file that I pasted into the trust. But what is private-key? I never saw instructions to upload any public key to AWS - so it doesn't make sense.

Obviously, I am getting an error - AccessDeniedException: Untrusted certificate. Insufficient certificate. Maybe I misunderstand what needs to be pasted in trust anchor? Is there some guidance for trust from external certificate bundle?

Thank you! I feel I am close...

PS. I feel that it is a generic question; so broader community can benefit; and it is not urgent since we are using user credentials now - but let me know if it should be better directed to support! PPS. Please consider adding "Roles Anywhere" as a new tag

profile picture
virshu
asked 2 years ago4268 views
5 Answers
3
Accepted Answer

I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.

check it out: https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be

royb
answered 2 years ago
  • It will take me awhile to read and understand :) but this is exactly what I was asking! Thank you very much. And needless to say, your point about "for testing purposes only" is very well taken! Bigger part, I didn't even understand that you need to roll out your own CA, so learning how to get one for test purposes is major benefit!

1

Ah now I understand what you mean. The answer is found here: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

Specifically: "Your application makes an authentication request to IAM Roles Anywhere, sending along its public key (encoded in a certificate) and a signature signed by the corresponding private key. Your application also specifies the role to assume in the request. When IAM Roles Anywhere receives the request, it first validates the signature with the public key, then it validates that the certificate was issued by a trust anchor previously configured in the account. For more details, see the signature validation documentation."

Hope this helps

answered 2 years ago
  • Thank you Zadus for your enthusiasm. However, I don't think it is helpful to copy and paste the text of the blog that I linked to in the very first sentence of my original question.

  • I have not tried it with a PKI yet. I am planning to try the ACM Private CA first, make sure I get that working, and then move on to try with a custom PKI.

    Does let's encrypt provide more details?

0

One thing to add: AWS mentioned the words "CA bundle", and I believe they meant the root CA certificate + any intermediate CA certificate or certificates, all concatenated and BASE64 encoded in one file. This is mentioned here: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaImportCaCert.html

I am not 100% sure if this was your issue, but if the trust anchor is not setup properly, obviously nothing will work. Please let me know if this actually works.

If you try with a real PKI infra, I think it might be easier to setup versus Lets Encrypt, as it will have a domain configured, and all the appropriate CA chain.

answered 2 years ago
  • thank you. at this time I think I have reached the limit of my knowledge. we use letsencrypt for all our certificates, so I am not sure how they are different from real PKI infrastructure. obviously, what I am pasting into trust anchor doesn't include my public key, so it is wrong. but I need help how to generate correct CA bundle. I will follow with support

  • Thats why I want to play with the free ACM option first (and make sure I get Roles anywhere working), before I create my own PKI (which requires a domain and all). And like you said, since the feature is literally less than 2 weeks old, not many tutorials are available yet. Let me know if you do figure it out, I would be curious to know what was the issue exactly (note: am not an AWS employee).

0

I read yesterday that ACM can be tried out for 30 days for free, so that would make things easier for you to implement and try out: https://aws.amazon.com/certificate-manager/pricing/

--private-key is your own private-key.pem file (it wont be sent to AWS).

answered 2 years ago
  • Thank you @ZadusPlace. I am pretty sure I know what private key is ;) My point is that for private key to work I need to send public key to the other party - and I don't see a step to do that! I'll play with ACM (thanks for pointing out 30-day free option) - maybe it will give me a clue how to do that; or I will ask support - but I was hoping that there will be some tutorial with external CA. Obviously, it is a new service - so maybe it is still in the works!

0

Simply put, you need a certificate indicated by --certificate to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter --private-key that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.

Viper25
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions