By using AWS re:Post, you agree to the Terms of Use

Using an Intermediate CA with IAM Roles Anywhere


I've created a private CA with an intermediate CA signed by the root CA and a user signed by the intermediate. The certs are valid, if I sign a user cert with the root CA, it works and AWS creds are returned, following the exact same process with the user cert signed by the intermediate CA yields a 403 AccessDeniedException.

The intermediate Trust Anchor was created with the cert chain, I've tried with the root above and below the intermediate cert. I've tried with and without a "root" Trust Anchor containing just the root cert.

The documentation doesn't describe the use case I'm attempting to make work, but the aws_signing_helper has an option --intermediates that I've supplied with the full chain, just the intermediate and just the root... all result in the 403.

I am exploring this feature so I can be confident about discussing it with colleagues & customers, the fact that there are no references to intermediate CAs in the docs may well be because this isn't supported, but it'd be nice if the docs reflected that - it doesn't seem an reasonable use of the IAM Roles Anywhere service?

Thanks in advance for thoughts or guidance from the community.

1 Answers

Intermediate CAs are supported by Roles Anywhere. I have successfully tested this with a private CA setup with a Root and Subordinate CA. A chain certificate comprising the Subordinate CA and Root CA was imported into Roles Anywhere as Trust Anchor. Then, an end entity certificate issued by the Subordinate CA was then used to authenticate successfully with Roles Anywhere without the --intermediates option.

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions