Create a trust anchor in IAM Roles Anywhere by registering your CA certificate (self-managed PKI or ACM Private CA); this tells AWS which CA certificates to trust for workload authentication
Create a profile in IAM Roles Anywhere specifying which IAM roles the workload can assume and any session policy conditions (e.g., restricting by certificate subject attributes)
Issue an X.509 client certificate to the workload from the trusted CA; the certificate's Subject or SAN fields can be used in IAM condition keys for fine-grained authorization
Install the AWS IAM Roles Anywhere credential helper (aws_signing_helper) on the workload; it authenticates with the certificate and private key and writes temporary credentials to the credential process chain
Configure the AWS CLI or SDK to use the credential helper via the credential_process setting in the AWS config file
Monitor CreateSession events in CloudTrail; set up alerts for unexpected certificate subjects or unusual Regions, and revoke certificates via your CA CRL if a workload is compromised
Known gotchas
The certificate private key must be protected on the workload; if the key is extractable, an attacker who obtains it can impersonate the workload — consider TPM or HSM storage
CRL or OCSP revocation must be configured and reachable by IAM Roles Anywhere for certificate revocation to take effect; test revocation before relying on it for incident response
IAM Roles Anywhere does not replace IAM; the assumed role still needs appropriate IAM permissions, and the Roles Anywhere session has a maximum duration subject to current service limits
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp