- Newest
- Most votes
- Most comments
Take a look at IAM Roles Anywhere.
But.. that post summarizes itself as, "With IAM Roles Anywhere, you can deliver short-term credentials to your on-premises servers, containers, or other compute platforms
I need credentials for permanently running service demons. So I need permanent creds, not short term ones?
The certificate is the long-term credential that allows you to get short-term Access Keys. You can generate thousands of certificates and map those to the IAM role they can assume. You can revoke certificates or change the execution permissions of the role.
but how can those short term access keys be used in the situation I described in my post? LONG running (for days)( service demons? Doesnt sound like it will work?
This is where you set up the signing helper in the config file. https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html#credential-helper-examples, https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html#feature-process-credentials-output. The CLI or SDK will refresh those temporary access keys when needed.
ahhh, I see. This is sounding promising. One grey area left...
Even though I'm using the amazon built-in CA for the IoT devices, it didnt show up as a target for a trust anchor CA. Seems like I had to create a NEW "Amazon private CA"?
So now I'm seemingly stuck, between "AWS IoT (greengrass) is an easy way to get certs on a device initially, with a provisioning cert", but for the stuff I actually want to do, I'm being pushed towards "Pay more money for the extra, OTHER Amazon CA".
Is there some way to use the same CA that is default use for the IoT certs, with this Roles Anywhere thing?
Or some other way to somehow say "trust IoT certs" ?
It doesn't look like that is supported.
Hi, there is no way to use AWS IoT generated certificates with IAM Roles Anywhere. AWS IoT does not provide access to the CA that signs the certificates. AWS IoT certificates are used only for IoT operations (authN/authZ) and not as a fully managed PKI. The options would be to a fully managed PKI such a Private CA, generate and register your certificates with AWS IoT and as the truststore for IAM Roles Anywhere from a CA you manage.
Ah well. I'll make do. Thanks a lot for the useful replies!
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
What level of granularity do you need per device? AWS IoT Credential Provider can use the IoT thing name or certificate id as policy variables, while IAM Roles Anywhere is more flexible with parsing the certificate subject. Both endpoints can be called directly without needing AWS IoT Greengrass, but your third party applications will need to deal with credential refresh (which makes the AWS SDKs super helpful).
This sounds similar to something I tried earlier, if not the actual same thing. The problem is I need something that the AWS SDK/runtime will then automatically handle the refresh. otherwise, the third party apps wont work.