Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Help setting up IAM Roles Anywhere

1

Very excited to read about new AWS Capability; namely, IAM Roles Anywhere. We have a number of on-prem servers, where we would like to copy logs to S3. Now we are using user profiles, which are obviously not the best practice!

I was trying to set it up, and I got confused. The example is using AWS PCS, which is $400/month - a little steep for just trying out. So, obviously, I am trying to use free Let's Encrypt. My understanding that this is their certificate bundle.

I successfully created Trust anchor (by pasting let's encrypt PEM file); I created a role, and I created a profile. I don't think I missed anything. Now, I am trying to obtain temporary security credentials, as described here.

./aws_signing_helper credential-process \
    --certificate
    --private-key
    --profile-arn
    --role-arn
    --trust-anchor-arn

profile, role, and trust-anchor are clear. I assume certificate is the path to the file that I pasted into the trust. But what is private-key? I never saw instructions to upload any public key to AWS - so it doesn't make sense.

Obviously, I am getting an error - AccessDeniedException: Untrusted certificate. Insufficient certificate. Maybe I misunderstand what needs to be pasted in trust anchor? Is there some guidance for trust from external certificate bundle?

Thank you! I feel I am close...

PS. I feel that it is a generic question; so broader community can benefit; and it is not urgent since we are using user credentials now - but let me know if it should be better directed to support! PPS. Please consider adding "Roles Anywhere" as a new tag

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
asked 4 years ago10.9K views
2 Answers
3
Accepted Answer

I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.

check it out: https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be

answered 3 years ago
  • virshu
    3 years ago

    It will take me awhile to read and understand :) but this is exactly what I was asking! Thank you very much. And needless to say, your point about "for testing purposes only" is very well taken! Bigger part, I didn't even understand that you need to roll out your own CA, so learning how to get one for test purposes is major benefit!

0

Simply put, you need a certificate indicated by --certificate to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter --private-key that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content