I have a non-AWS workload that needs to access the AWS API. Using IAM Roles Anywhere to generate temporary credentials as opposed to using long-term credentials (e.g. access keys) is recommended by AWS for security purposes.
I am now ready to authenticate via the certificate trusted by my trust anchor and obtain temporary credentials from a role, but I have no idea how to do that programmatically and I don't see any useful doc on this subject.
There are some command-line helper tools that AWS provides, but I need to write code, not use a command line app.
I probably need to use the Security Token Service, but I don't see any method that takes in a certificate and returns credentials. AssumeRoleCommand
and GetSessionTokenCommand
seem like good candidates, but again, I'm not sure how to use them in the context of the Roles Everywhere feature.
I don't see any method that takes in a certificate and returns credentials
This is because CreateSession
i.e. the X.509 wrapper around AssumeRole
practically has no SDK support as per the docs:
CreateSession
is not included in any SDK or client as there is not yet native SDK or client support for CreateSession's signing process.
You'll need to manually implement the signing process in JS/TS, using the source code for rolesanywhere-credential-helper
as support. Do note that RolesAnywhereClient
is a control-plane package & doesn't actually sign requests.
The lack of SDK support is rather disappointing more than a year after release, so I've reached out to the AWS team to ask about potential SDK support & if this is on the roadmap anytime soon. I'll update my answer if/when I hear back from them.