amazon-web-servicesamazon-iamaws-sdk-nodejsaws-stsaws-roles

How to get temporary credentials with AWS Roles Anywhere programmatically w/ Node.js?


I have a non-AWS workload that needs to access the AWS API. Using IAM Roles Anywhere to generate temporary credentials as opposed to using long-term credentials (e.g. access keys) is recommended by AWS for security purposes.

  1. I have set up a Certificate Authority using AWS Certificate Manager
  2. I have created a Trust anchor
  3. I have created a Profile

I am now ready to authenticate via the certificate trusted by my trust anchor and obtain temporary credentials from a role, but I have no idea how to do that programmatically and I don't see any useful doc on this subject.

There are some command-line helper tools that AWS provides, but I need to write code, not use a command line app.

I probably need to use the Security Token Service, but I don't see any method that takes in a certificate and returns credentials. AssumeRoleCommand and GetSessionTokenCommand seem like good candidates, but again, I'm not sure how to use them in the context of the Roles Everywhere feature.


Solution

  • I don't see any method that takes in a certificate and returns credentials

    This is because CreateSession i.e. the X.509 wrapper around AssumeRole practically has no SDK support as per the docs:

    CreateSession is not included in any SDK or client as there is not yet native SDK or client support for CreateSession's signing process.

    You'll need to manually implement the signing process in JS/TS, using the source code for rolesanywhere-credential-helper as support. Do note that RolesAnywhereClient is a control-plane package & doesn't actually sign requests.


    The lack of SDK support is rather disappointing more than a year after release, so I've reached out to the AWS team to ask about potential SDK support & if this is on the roadmap anytime soon. I'll update my answer if/when I hear back from them.