This Terraform configuration provides an example of how AWS IAM Roles Anywhere can be configured. It creates the following resources:
- Three IAM roles that have different levels of access defined by identity-based managed policies:
- Read-only
- Power user
- Administrator
- A private certificate authority hierarchy that includes the following AWS Private CAs:
- One root CA
- One intermediate CA (e.g. for an individual department or LOB)
- Three signing CAs to issue end-entity certificates that can be used to obtain temporary session credentials for different roles
- Three Roles Anywhere trust anchors that trust certicates issued by their associated signing CAs
- Three Roles Anywhere profiles that can assume only the IAM role allowed by the trust anchor specified in that role’s trust policy, with an optional session policy that restricts access by source IP address
- Git
- Terraform
jq- AWS CLI
This Terraform configuration has been tested and verified to work with AWS CloudShell and so the following instructions apply thereto. The instructions therefore may not apply exactly to environments that differ from what is provided by CloudShell.
- Delete CloudShell environment and launch a new one to ensure a fresh environment that has enough available space on filesystems.
- Install Terraform.
curl https://gist.githubusercontent.com/RhubarbSin/d3db401da906015ff2a88cca1a42b027/raw/ddf6ecbadbbf7304a97d7b5657216af99c8bff49/install-terraform-amazon-linux-2023.sh | bash - Install dependencies for testing.
- Install the Go programming language and a basic development environment.
sudo dnf install --assumeyes golang '@Development Tools' - Clone the GitHub repository for the AWS IAM Roles Anywhere credential helper.
git clone https://github.com/aws/rolesanywhere-credential-helper.git - Set the
GOPATHenvironment variable to avoid consuming all space in home directory ofcloudshell-useraccount.export GOPATH=/var/tmp/go - Build the package.
make -C rolesanywhere-credential-helper release
- Install the Go programming language and a basic development environment.
- Deploy configuration for IAM Roles Anywhere.
- Clone this GitHub repository.
git clone https://github.com/RhubarbSin/terraform-aws-iam-roles-anywhere-example.git - Change to the repository’s directory.
cd terraform-aws-iam-roles-anywhere-example - Initialize the working directory.
terraform init - Create the infrastructure.
terraform apply -auto-approve
- Clone this GitHub repository.
- Test by creating temporary credentials in the credentials file once for each profile and checking the functionality of the profile.
- Create directory for credentials file.
mkdir ~/.aws - ReadOnly profile:
~/rolesanywhere-credential-helper/build/bin/aws_signing_helper update \ --once \ --session-duration 43200 \ --region "$(terraform output -raw region)" \ --certificate "$(terraform output -json certificate_files | jq -r .read_only)" \ --private-key "$(terraform output -json key_files | jq -r .read_only)" \ --role-arn "$(terraform output -json role_arns | jq -r .read_only)" \ --trust-anchor-arn "$(terraform output -json trust_anchor_arns | jq -r .read_only)" \ --profile-arn "$(terraform output -json profile_arns | jq -r .read_only)" \ --profile readonly
aws sts get-caller-identity --output table --profile readonly - PowerUser profile:
~/rolesanywhere-credential-helper/build/bin/aws_signing_helper update \ --once \ --session-duration 43200 \ --region "$(terraform output -raw region)" \ --certificate "$(terraform output -json certificate_files | jq -r .power_user)" \ --private-key "$(terraform output -json key_files | jq -r .power_user)" \ --role-arn "$(terraform output -json role_arns | jq -r .power_user)" \ --trust-anchor-arn "$(terraform output -json trust_anchor_arns | jq -r .power_user)" \ --profile-arn "$(terraform output -json profile_arns | jq -r .power_user)" \ --profile poweruser
aws sts get-caller-identity --output table --profile poweruser - Administrator profile:
~/rolesanywhere-credential-helper/build/bin/aws_signing_helper update \ --once \ --session-duration 43200 \ --region "$(terraform output -raw region)" \ --certificate "$(terraform output -json certificate_files | jq -r .admin)" \ --private-key "$(terraform output -json key_files | jq -r .admin)" \ --role-arn "$(terraform output -json role_arns | jq -r .admin)" \ --trust-anchor-arn "$(terraform output -json trust_anchor_arns | jq -r .admin)" \ --profile-arn "$(terraform output -json profile_arns | jq -r .admin)" \ --profile admin
aws sts get-caller-identity --output table --profile admin
- Create directory for credentials file.
- When finished, delete all of the resources by destroying the infrastructure and removing the credentials file.
terraform apply -destroy -auto-approverm ~/.aws/credentials - Delete the clones of repositories used by the example.
cd && rm -rf \ terraform-aws-iam-roles-anywhere-example \ rolesanywhere-credential-helper
By default, resources are provisioned in the us-east-2 region. The region used is specified by the value of the region input variable.
By default, access to all profiles is allowed from any IP address. Access can be restricted to specific source IP address ranges with the cidr_blocks variable.
- Multiple certificates can be issued by each signing private certificate authority (PCA); issuing one certificate per user with an unique private key allows granular access control via revocation of an individual user’s certificate.
- Two resources depicted in the diagram and highlighted as part of the Certificate Revocation Process are not included in the Terraform configuration:
- EventBridge Rule
- Lambda Function
- The signing private certificate authorities (PCAs) will publish certificate revocation lists (CRLs) to the S3 bucket, but the remaining functionality that would subsequently convert and upload the CRLs to Roles Anywhere is not implemented, as noted above.
