- Newest
- Most votes
- Most comments
I have a fully working example in my blog, which demonstrates it with a CA you create using openssl, and a step-by-step for everything.
Ah now I understand what you mean. The answer is found here: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
Specifically: "Your application makes an authentication request to IAM Roles Anywhere, sending along its public key (encoded in a certificate) and a signature signed by the corresponding private key. Your application also specifies the role to assume in the request. When IAM Roles Anywhere receives the request, it first validates the signature with the public key, then it validates that the certificate was issued by a trust anchor previously configured in the account. For more details, see the signature validation documentation."
Hope this helps
Thank you Zadus for your enthusiasm. However, I don't think it is helpful to copy and paste the text of the blog that I linked to in the very first sentence of my original question.
I have not tried it with a PKI yet. I am planning to try the ACM Private CA first, make sure I get that working, and then move on to try with a custom PKI.
Does let's encrypt provide more details?
One thing to add: AWS mentioned the words "CA bundle", and I believe they meant the root CA certificate + any intermediate CA certificate or certificates, all concatenated and BASE64 encoded in one file. This is mentioned here: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaImportCaCert.html
I am not 100% sure if this was your issue, but if the trust anchor is not setup properly, obviously nothing will work. Please let me know if this actually works.
If you try with a real PKI infra, I think it might be easier to setup versus Lets Encrypt, as it will have a domain configured, and all the appropriate CA chain.
thank you. at this time I think I have reached the limit of my knowledge. we use letsencrypt for all our certificates, so I am not sure how they are different from real PKI infrastructure. obviously, what I am pasting into trust anchor doesn't include my public key, so it is wrong. but I need help how to generate correct CA bundle. I will follow with support
Thats why I want to play with the free ACM option first (and make sure I get Roles anywhere working), before I create my own PKI (which requires a domain and all). And like you said, since the feature is literally less than 2 weeks old, not many tutorials are available yet. Let me know if you do figure it out, I would be curious to know what was the issue exactly (note: am not an AWS employee).
I read yesterday that ACM can be tried out for 30 days for free, so that would make things easier for you to implement and try out: https://aws.amazon.com/certificate-manager/pricing/
--private-key is your own private-key.pem file (it wont be sent to AWS).
Thank you @ZadusPlace. I am pretty sure I know what private key is ;) My point is that for private key to work I need to send public key to the other party - and I don't see a step to do that! I'll play with ACM (thanks for pointing out 30-day free option) - maybe it will give me a clue how to do that; or I will ask support - but I was hoping that there will be some tutorial with external CA. Obviously, it is a new service - so maybe it is still in the works!
Simply put, you need a certificate indicated by --certificate
to present to AWS in exchange for access keys. This certificate can be the same as a certificate that you see on this page. But the owner of the certificate will have the private key key. This is the parameter --private-key
that you must point to. Any certificate has a certificate chain with the root CA at the top of the chain. This chain is the certificate bundle that you need to configure when setting up the trust anchor.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- asked 7 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
It will take me awhile to read and understand :) but this is exactly what I was asking! Thank you very much. And needless to say, your point about "for testing purposes only" is very well taken! Bigger part, I didn't even understand that you need to roll out your own CA, so learning how to get one for test purposes is major benefit!