Providing access for non AWS workloads

An IAM role is an object in AWS Identity and Access Management (IAM) that is assigned permissions. When you assume that role using an IAM identity or an identity from outside of AWS, it provides you with temporary security credentials for your role session. You might have workloads running in your data center or other infrastructure outside of AWS that need to access your AWS resources. Instead of creating, distributing, and managing long-term access keys, you can use AWS Identity and Access Management Roles Anywhere (IAM Roles Anywhere) to authenticate your non AWS workloads. IAM Roles Anywhere uses X.509 certificates from your certificate authority (CA) to authenticate identities and securely provide access to AWS services with the temporary credentials provided by an IAM role.

To use IAM Roles Anywhere, you set up a CA using AWS Private Certificate Authority or use a CA from your own PKI infrastructure. After you have set up a CA, you create an object in IAM Roles Anywhere called a trust anchor to establish trust between IAM Roles Anywhere and your CA for authentication. You can then configure your existing IAM roles, or create new roles that trust the IAM Roles Anywhere service. When your non AWS workloads authenticate with IAM Roles Anywhere using the trust anchor, they can get temporary credentials for your IAM roles to access your AWS resources.

For more information about configuring IAM Roles Anywhere, see What is AWS Identity and Access Management Roles Anywhere in the IAM Roles Anywhere User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Providing access across AWS accounts

Providing access to third-party AWS accounts