Posted On: Mar 7, 2023

Amazon Identity and Access Management (IAM) now enables workloads that run outside of Amazon Web Services Cloud to access Amazon Web Services resources using IAM Roles Anywhere. IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary Amazon Web Services credentials and use the same IAM roles and policies that you have configured for your Amazon Web Services workloads to access Amazon Web Services resources.

With IAM Roles Anywhere you now have the ability to use temporary credentials on Amazon Web Services Cloud, eliminating the need to manage long term credentials for workloads running outside of Amazon Web Services Cloud, which can help improve your security posture. Using IAM Roles Anywhere can reduce support costs and operational complexity through using the same access controls, deployment pipelines, and testing processes across all of your workloads. You can get started by establishing the trust between your Amazon Web Services environment and your public key infrastructure (PKI). You do this by creating a trust anchor where you register your own certificate authorities (CAs) with IAM Roles Anywhere. By adding one or more roles to a profile and enabling IAM Roles Anywhere to assume these roles, your applications can now use the client certificate issued by your CAs to make secure requests to Amazon Web Services Cloud and get temporary credentials to access the Amazon Web Services environment.

IAM Roles Anywhere is available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about IAM Roles Anywhere, visit the User Guide. For a step-by-step tutorial on how to use IAM Roles Anywhere to obtain temporary credentials, see the launch blog