{"id":"87c62e94-6169-4da8-9648-8a9052c98018","task":"Configure AWS IAM Roles Anywhere to grant AWS credentials to on-premises workloads using X.509 certificates","domain":"docs.aws.amazon.com","steps":["Create a trust anchor in IAM Roles Anywhere by registering your CA certificate (self-managed PKI or ACM Private CA); this tells AWS which CA certificates to trust for workload authentication","Create a profile in IAM Roles Anywhere specifying which IAM roles the workload can assume and any session policy conditions (e.g., restricting by certificate subject attributes)","Issue an X.509 client certificate to the workload from the trusted CA; the certificate's Subject or SAN fields can be used in IAM condition keys for fine-grained authorization","Install the AWS IAM Roles Anywhere credential helper (aws_signing_helper) on the workload; it authenticates with the certificate and private key and writes temporary credentials to the credential process chain","Configure the AWS CLI or SDK to use the credential helper via the credential_process setting in the AWS config file","Monitor CreateSession events in CloudTrail; set up alerts for unexpected certificate subjects or unusual Regions, and revoke certificates via your CA CRL if a workload is compromised"],"gotchas":["The certificate private key must be protected on the workload; if the key is extractable, an attacker who obtains it can impersonate the workload — consider TPM or HSM storage","CRL or OCSP revocation must be configured and reachable by IAM Roles Anywhere for certificate revocation to take effect; test revocation before relying on it for incident response","IAM Roles Anywhere does not replace IAM; the assumed role still needs appropriate IAM permissions, and the Roles Anywhere session has a maximum duration subject to current service limits"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/87c62e94-6169-4da8-9648-8a9052c98018"}