AWS Solutions for Hybrid and Multicloud — Extend AWS credentials anywhere with IAM Roles Anywhere for workloads running outside AWS like GCP and other cloud providers
This is series of personal blogs highlighting some of the AWS Solutions for Hybrid and Multicloud, which span across Data and Analytics, cloud operations, security, observability and much more. This blog is meant to augment the official AWS documentation, to showcase IAM Roles Anywhere enables you to use IAM roles for your applications outside of AWS to access AWS APIs securely, and showcases calling an AWS service like Amazon S3 to a virtual machine outside of AWS, such as the Google Cloud Platform (GCP) without using long-lived/permanent AWS access token and secret key. While this blog showcases GCP, this can be applied to on-prem, colo or other public cloud service providers.
This is a personal blog and written in a point of time and for a specific usecase, please refer to the official documentation on https://docs.aws.amazon.com/ and GCP for the authoritative and final view !!
AWS Identity and Access Management (IAM) has made it easy to use IAM roles for workloads that are running outside of AWS, with the release of IAM Roles Anywhere. This feature extends the capabilities of IAM roles to workloads outside of AWS. IAM Roles Anywhere allows on-premises servers, containers, or applications to securely obtain temporary AWS credentials, eliminating the need for long-term credential management.
Use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don’t need to manage long-term credentials for workloads running outside of AWS.
To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere. You can also use AWS Private Certificate Authority (AWS Private CA) to create a CA and then use that to establish trust with IAM Roles Anywhere. AWS Private CA is a managed private CA service for managing your CA infrastructure and your private certificates.
Objective
There are many reasons AWS customers will be in a situation, where they have applications and infrastructure deployed in a multicloud environment. To enable applications and users which are deployed outside AWS to access AWS services and resources, you need to provide them with valid AWS credentials for making AWS API requests. For workloads running on AWS, you do this by associating an IAM role with Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), or AWS Lambda resources, depending on the compute platform hosting your application. This is secure and convenient, because you don’t have to distribute and manage AWS credentials for applications running on AWS. Instead, the IAM role supplies temporary credentials that applications can use when they make AWS API calls.
IAM Roles Anywhere enables you to use IAM roles for your applications outside of AWS to access AWS APIs securely, the same way that you use IAM roles for workloads on AWS. With IAM Roles Anywhere, you can deliver short-term credentials to your on-premises servers, containers, or other compute platform.
In this blog, we will explain the process of downloading a file from Amazon S3 to a virtual machine outside of AWS, such as the Google Cloud Platform (GCP).
Note: While this blog can be used as reference, please refer to the official documentation and blogs for the latest information. You will incur charges, both on AWS and outside AWS, when you follow these instructions.
Architecture
In this blog, we will download an text file from an Amazon S3 bucket on AWS from a virtual machine running outside AWS, like on the GCP cloud.
Step 1. The application server makes a request to retrieve temporary credentials by using IAM Roles Anywhere.
Step 2. IAM validates the request against the relevant IAM policies and verifies that the certificate was issued by a CA configured as a trust anchor.
Step 3. If the request is valid, AWS Security Token Service (AWS STS) provides temporary credentials that the AWS CLI can use to assume an IAM role.
Step 4. IAM Roles Anywhere returns temporary credentials to the calling entity which resides outside AWS.
Step 5. The AWS CLI running outside AWS, uses these temporary credentials, which have Amazon S3 permissions and downloads the file to the local directory on GCP.
Walkthrough
This blog will leverage the detailed instructions that are already available in the AWS documentation, blogs and workshops.
Step 1 — Setting up of a certificate authority
The details of setting up a certificate authority are explained in the “Deep Dive on AWS IAM Roles Anywhere” workshop. You can either use AWS IAM Roles Anywhere with AWS Private Certificate Authority or an external certificate authority like OpenSSL as a custom CA (Certificate Authority), to generate CSRs (Certificate Signing Request) and issue certificates. We have used an AWS Private Certificate Authority instance in this blog. Please follow the steps from the workshop to setup AWS IAM Roles Anywhere with AWS Private Certificate Authority.
Step 2 IAM Roles Anywhere configuration
This task involves creating a trust anchor, configuring the trust policy of the role that IAM Roles Anywhere is going to assume, and defining the role profile. To specify which roles IAM Roles Anywhere assumes and what your workloads can do with the temporary credentials, you create a profile. In a profile, you can define permissions with IAM managed policies and in this blog we limit the access to a specific bucket within Amazon S3. These activities are performed by the AWS account administrator and can be limited by IAM policies. Please follow the steps from the workshop to create the AWS IAM Roles Anywhere configuration.
Step 3 — Provisioning of certificates outside AWS, in this case in the virtual machine on GCP
This task involves ensuring that the X.509 certificate, signed by the CA, is installed and available on the server, container, or application outside of AWS that needs to authenticate. An infrastructure admin or provisioning actor, typically by using existing automation and configuration management tools performs this in your on-premises environment. In this blog, we copied the X.509 certificates created by the AWS Private Certificate Authority to the virtual machine running on the GCP cloud.
Step 4 — Using IAM Roles Anywhere to access AWS services, like Amazon S3
To access AWS services from the virtual machine on GCP, we will need to install the AWS CLI from AWS. IAM Roles Anywhere provides a credential helper tool that can be used with the process credentials functionality that all current AWS SDKs support. This simplifies the signing process for the applications. See the IAM Roles Anywhere documentation to learn how to download and install the credential helper tool.
There are several ways to use IAM Roles Anywhere to access AWS services and resources from outside AWS — using IAM roles Anywhere credential helper, using the AWS credential file and from within an application using the AWS SDK.
IAM Roles Anywhere credential helper
To get the temporary credentials, run the credential helper tool (aws_signing_helper) manually from the VM outside AWS like GCP, as follows.
./aws_signing_helper credential-process \
- certificate /path/to/certificate.pem \
- private-key /path/to/private-key.pem \
- trust-anchor-arn <TA_ARN> \
- profile-arn <PROFILE_ARN> \
- role-arn <ExampleS3WriteRole_ARN>
Use the temporary credentials in the form of an Access Key ID, a Secret Access Key, and a Session Token as temporary environment variables for your AWS credentials, and then issue calls to AWS from the AWS CLI. For example:
export AWS_ACCESS_KEY_ID=access-key-id-value
export AWS_SECRET_ACCESS_KEY=secret-access-key-value
export AWS_SESSION_TOKEN=session-token-valueOnce that is done you can issue AWS CLI commands. This is not a recommended approach, as this is manual and error-prone.
IAM Roles Anywhere with the AWS credential file
Edit the AWS credential file, ~/.aws/config and call the aws_signing_helper.
AWS CLI commands can now be issued by adding the profile option while issuing the CLI command, without having to manually having set the ACCESS KEY, SECRET KEY and SESSION TOKEN every time.
We could successfully retrieve the file from the Amazon S3 bucket on AWS to the virtual machine running outside AWS, like GCP.
We can monitor the authentications with AWS Identity and Access Management Roles Anywhere subjects, by using Subject Activity tab in the IAM Roles Anywhere console to visualize and audit activities for certificates that are authenticated with IAM Roles Anywhere.
Using IAM Roles Anywhere from an Application
If we need to access AM Roles Anywhere from within the application code, we can leverage the AWS SDK from within the application. More details on SDK approach can be obtained from the “Deep dive on AWS IAM Role Anywhere” workshop.
Additional notes
You can disable the trust anchor in IAM Roles Anywhere to immediately stop new sessions being issued to your resources outside of AWS. Certificate revocation is supported through the use of imported certificate revocation lists (CRLs). You can upload a CRL that is generated from your CA, and certificates used for authentication will be checked for their revocation status. Another consideration, not specific to IAM Roles Anywhere, is to ensure that you have securely stored the private keys on your server with appropriate file system permissions. Please refer to the section on security in the AWS IAM Roles Anywhere user guide.
Hope this was useful. Please contact the AWS account team or myself, if you need more assistance. Thanks 🙏
Resources
- AWS documentation — IAM Roles Anywhere User Guide — https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html
- AWS IAM Roles Anywhere Credential Helper — https://github.com/aws/rolesanywhere-credential-helper
- “Deep dive on AWS IAM Roles Anywhere” workshop — https://catalog.workshops.aws/deep-dive-on-roles-anywhere/en-US
- “Authenticate your on-premises workloads using IAM Roles Anywhere” workshop — https://catalog.us-east-1.prod.workshops.aws/workshops/0d52dff1-c3e1-4e9f-a373-8413e18f13bd/en-US
- AWS blog — “Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere” — https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
- Generic AWS Blog : Jeff Barr’s — AWS and Multicloud: Existing capabilities & continued enhancements
- Generic AWS Blog : Tom Godden — Proven Practices for Developing a Multicloud Strategy
